samba - Apr 2017 - Samba authentication using non-AD Kerberos?

On 2017-04-25, 15:40, Andrew Bartlett via samba wrote:
> This looks like the instructions:
>
https://social.technet.microsoft.com/wiki/contents/articles/2751.kerberos-interoperability-step-by-step-guide-for-windows-server-2003.aspx#Using_an_MIT_KDC_with_a_Stand-alone_Windows_Server_TwentyOhThree_Client
Thanks Andrew! This is quiet useful info.
> Also, you still have to create all the user accounts on each 
> Windows client, you just get to share the passwords.
Noted.
> All in all, you start to see why we built Samba's AD DC.  You 
> might not be able to use it, but we didn't think the 
> alternative was practical either.
I brought up the question about using that in a forked thread, 
it seems like Rowland Penny thing it will be impossible either.

My requirement is simple, we have existing OpenLDAP and Kerberos 
authentication system, and I want MS Windows to be able to mount 
shares from my server using credentials from that authentication 
system. In the old days (Samba 3), it can use LDAP for login but 
doing that by storing password in LDAP field using unsecure 
encryption, and I cannot do that now. I thought now with Samba 4 
it will be possible to do with Kerberos.

Thank you.

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

On Thu, 27 Apr 2017 07:17:22 -0600 (MDT)
S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote:
> 
> My requirement is simple, we have existing OpenLDAP and Kerberos 
> authentication system, and I want MS Windows to be able to mount 
> shares from my server using credentials from that authentication 
> system. In the old days (Samba 3), it can use LDAP for login but 
> doing that by storing password in LDAP field using unsecure 
> encryption, and I cannot do that now. I thought now with Samba 4 
> it will be possible to do with Kerberos.
You probably could use Samba 4 in the same way as you used Samba 3,
but then it wouldn't be AD.

What you are trying to do isn't easy, if it was, Microsoft wouldn't
have gone to all the trouble of creating AD.

You are not the first to try and get AD to work with your setup,
rather than getting your setup to work with AD. Believe me, it will be
easier to do the later rather than the former.

Rowland

On 2017-04-27, 07:41, Rowland Penny via samba wrote:
> You probably could use Samba 4 in the same way as you used 
> Samba 3,
For security and hard-to-maintain reason, it is not an option.
> You are not the first to try and get AD to work with your 
> setup, rather than getting your setup to work with AD. Believe 
> me, it will be easier to do the later rather than the former.
As I said before, the later is not an option, and I don't 
control that.

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

On Thu, 2017-04-27 at 07:17 -0600, S P Arif Sahari Wibowo via samba
wrote:
> In the old days (Samba 3), it can use LDAP for login but 
> doing that by storing password in LDAP field using unsecure 
> encryption, and I cannot do that now. 
To be clear, as I think Rowland has already mentioned, (almost)
everything that Samba could do previously with 'Samba 3', it can still
do. 

If your LDAP/Kerberos system has dropped storing the sambaNTPassword
however, then that change on your end is not something we can do
anything about.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba