Wes Modes
2008-Apr-03 20:35 UTC
[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
So far answers I've received on this list have been inconsistent at best
and downright inaccurate at worst. I'm going to try one more time and
see if, at the very least, someone can give me a lead. I ask you to
consider what I'm asking remotely possible, and then seek a solution.
(Particularly before one blasts off an ill-thought out message that says
simple, "Can't be done," simple because you've never done it
or haven't
heard of it being done.) So consider this a challenge or a riddle.
1. I have an OpenLDAP directory server that I am using for user and
group information. I would like to use it also to authenticate
against. This way, whatever I hook up to it (Samba, webstuff, PHP
apps, CMS) can both authenticate and authorize from one source.
2. There is a separate Kerberos server that has users' campus-wide
passwords. I have access to it, but do not control it.
3. I have a separate linux file server running Samba. PCs and Macs
will connect to it.
I know I can do Kerberos authentication directly from Samba, but I'd
prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve
the problem once, rather than have to work out BOTH LDAP and Kerberos
connections for every new authenticated service I add, and b) LDAP hooks
are more common than Kerberos hooks for other services for which I will
eventually want authentication and authroization. And yes, I know it
breaks the Kerberos model.
The question and the challenge: Any leads on how I might convince Samba
to pass the input password on to OpenLDAP so that OpenLDAP can
authenticate it against Kerberos?
Wes
--
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
Volker Lendecke
2008-Apr-03 20:52 UTC
[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote:> The question and the challenge: Any leads on how I might convince Samba > to pass the input password on to OpenLDAP so that OpenLDAP can > authenticate it against Kerberos?The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080403/6aad8878/attachment.bin