similar to: Samba authentication against Linux-based Kerberos

I know OpenSSH currently supports PKCS11 devices (such as smartcards) for publickey authentication, but I would love to see PKCS11 extended further. It is currently possible to perform PKCS11 certificate authentication, via pam_krb5.so (on Linux at least and likely something similar on other *NIX) which allows smartcard auth to a Kerberos (including AD) server, where a TGT can also be granted.

in our lab we have a kerberos + ldap server to authenticate the gnu/linux users and we have configured samba to work as a PDC authenticating the windows users. samba stores the password in encrypted format in /etc/samba/smbpasswd. The problem is when the password is changed by windows users we need to change the password of kerberos credentials. Is there a way in samba in to do that i.e to

Alon, I should have provided more background. You are assuming that I could perform the PKINIT prior to connecting to the SSH server. In this case (and others) there is an interest in not exposing the kerberos servers to the world and thus someone connecting remotely would not be able to obtain a TGT or do a PKINIT. The goal would be for SSH to handle all the auth and only after connecting to

Alon, On 12/18/2018 06:52 PM, Alon Bar-Lev wrote: > OK... So you have an issue... > > First, you need to delegate your smartcard to remote machine, probably > using unix socket redirection managed by openssh. This can be done in > many levels... > 1. Delegate USB device, this will enable only exclusive usage of the > smartcard by remote machine. > 2. Delegate PC/SC, this

On 11.12.18 18:19, walk2sun via samba wrote: > Am 11.12.18 um 15:36 schrieb tseegerkrb via samba: >> On 11.12.18 15:23, Rowland Penny via samba wrote: >>> On Tue, 11 Dec 2018 15:09:39 +0100 >>> tseegerkrb via samba <samba at lists.samba.org> wrote: >>> >>>> Hello list, >>>> >>>> a quick question. Right now I have a

I'm trying to integrate Samba with my kerberos configuration on Solaris 10 (with Samba 3.0.23d) and I have one basic issue - probably I don't understand something. Hopefully one of you experts can help. We have an AD based organization but we do a lot of Unix work on Solaris 10 and AIX 5.3 - I have about 75 *nix servers of various flavors. There's a lot of value in SSO

On 11.12.18 15:23, Rowland Penny via samba wrote: > On Tue, 11 Dec 2018 15:09:39 +0100 > tseegerkrb via samba <samba at lists.samba.org> wrote: > >> Hello list, >> >> a quick question. Right now I have a combination of MIT Kerberos, >> OpenLDAP and SSSD for authenticating my users. Is there a way that >> Samba can use this setup to perform user

I am getting a bit confused about which methods to use to keep my passwords synced given the following scenario. Samba PDC using LDAP backend. LDAP uses {SASL}princ@REALM type passwords Sasl mechanism is saslauthd using kerberos5 I can use pam like: password required pam_smbpass.so password required pam_krb5.so use_first_pass and then passwd will set both passwords but how can I make it

> -----Original Message----- > From: Brian J. Murrell [mailto:brian@interlinx.bc.ca] > > - Single Sign-On via Kerberos > > OK. Actually I understood this feature. I am just wondering how it > applies in an MS network. SSO to all of what? If my DCs are my > file/printer server(s) (let's say I mirror the data contents > of my PDC to > my BDC as well --

I have been trying to get SSO to work correctly with the following packages, and I appear I am missing something and I was wondering if anyone can help me or point me in the right direction? I am currently using the "auth_ntlm_winbind_module" for apache to try and authenticate and was hoping to get SSO to work. I have gone through all the steps on SEVERAL sites trying to figure out how

Hi Samba Users, I have Samba providing shares to several XP clients. The clients currently authenticate using private/smbpasswd. I do not have an Active Directory server nor any Windows servers. I also have an MIT KDC. Various services have been Kerberised including SSH (proper GSSAPI negotiation) and Apache (Basic auth). This is all functioning correctly. The Apache login and SSH logins from

Hi, I'm trying to get an IMAP server to authenticate using Kerberos rather than storing and sending passwords all over the place. I've tried to do this following the instructions for setting up Apache SSO (https://wiki.samba.org/index.php/Samba4/beyond#Apache_Single_Sign-On) but am unable to export the keytab. Searching through the list it looks like a few others have experienced the

Hi, On 27-06-2016 08:58, Mark Foley wrote: > So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal > Kerberos and when I provisioned my domain apparently none of these needed kerberos files were > set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux. You don't need any Samba4 stuff, to get it

Hi all, I have a running Samba4 Server. I am able to authenticate Windows and Linux Clients very. (1) I want to use samba4 as SSO. In this regard my next step is to authenticate our web site users from samba4 server. In this web site, at home page our corporate users give their e-mail address username at companydomain.com and password (not e-mail password). (2) Our E-mail server is hosted on

Dear list members, i am trying to implement SSO solution on my windows network. Right now, for testing purposes, i have setted a kerberos server to authenticate my users. Using this kerberos server, i am able to log on any of my unix workstations. Users information is retrieve from nis and the authentication process is performed by keberos on its all. Done so with unix, i starting testing with

Hi List, My goal in sending this email is to get some direction on where to start looking to solve my problem. Thank you all in advance for reading through this and providing any guidance! I'm working on moving to new servers, upgrading from CentOS 6.7 to CentOS 7.5. In this move, we are also upgrading from Apache/2.2.15 to Apache/ 2.4.33. Our servers are all sitting behind a load

Hi, I?ve been reading up on SSO-based logins for the last couple of weeks. I?ve found a lot of information about it, but nothing that matches my situation. Here?s the gist of my situation... - I have a Samba 3 PDC in our corporate office as well as three remote offices. - Each remote office is in a different physical building and connected to the Corporate office either via Point-to-Point T-1

Hello all, I am doing some tests for an SSO for our Windows workstations using Kerberos without ADS. So far, Windows client can obtain the ticket from the Heimdal KDC and it's possible to login to SSH servers using Vintela Putty. I am now trying to use the Kerberos credentials to access Samba shares. I can mount the shares using my Kerberos tickets from a Linux and I see the service ticket

Hi, I built an apache config which combines Kerberos-Authentication and LDAP-Authorization to allow SSO and require ldap-group at the same time. I think this might be interesting to add to [1], but before that, I would like to have it double-checked, to be sure that it adds no security issues. The steps to create the keytab file, etc are from the other two guides, except that the user

Hai, Lets start here. Handy for us to know. OS? Samba version? AD or member setup? And I suggest, set this in the ssh server. # GSSAPI options GSSAPIAuthentication yes Restart the ssh server and try to SSO login. If its a AD server this should work. Yes, you dont get home dir etc, end up in / after login, but lets check if this works. Greetz, Louis > -----Oorspronkelijk