On Friday 17 February 2006 03:35 pm, Paul Kölle wrote: > Robert Larson wrote: > > I have a system setup using OpenLDAP combined with Cyrus-SASL and Heimdal > > kerberos. I have tied samba into it, and will eventually setup samba-tng > > as an authentication head for samba. With samba, I may use NTLM > > authentication to include more options for SSO. > > Why do you need samba-tng? The first reason I will be going with TNG is to accommodate a growing network, essentially taking the task of serving files off of the same piece of software that authenticates all network NTLM requests. The second is security, I don't want any authentication to be performed on any hosts housing "user" services.
I know that I could probably just use samba for this, but my understanding is that samba-tng aims to provide authentication mechanisms that are beyond the general samba file serving crowd. This excerpt from http://www.samba-tng.org/faq.html will support the general idea: "Samba-TNG is somewhat more advanced in terms of protocol support, although Samba is catching up and may be ahead in some areas. If you want an NT domain controller running with an LDAP backend, optionally integrated with your LDAP-based Unix user database, you probably want to use Samba-TNG. Samba has some experimental support for this, but Samba-TNG has had it working for much longer so it is more mature." > > > The way my setup works is samba has access to use LDAP for accounting and > > simple binds (over SSL/TLS). Unfortunately, samba doesn't support > > kerberos based authentication "(yet)". > > To be a bit more specific, samba(3) cannot hand tickets to windows > clients (yet) ;) Exactly, though, I haven't really looked into samba 4 yet. Hmm, it seems like that may be my answer to that problem... > > In this setup, the users sign on to their > > > desktop, and the same login is used to access network shares without > > prompt for another password (this happens by default on most windows > > desktops) using NTLM. > > So this is a normal windows domain with a samba PDC? Pretty much, although, it may be closer to a workgroup with one share machine (file server) performing NTLM based authentication. I tried to keep it simple, especially since not all of our clients are domain ready (only those utilizing XP home edition to name a few). > > Various applications using SPEGNO/GSSAPI can provide autologin > > functionality using this same login if we chose to implement something to > > that effect, but that depends entirely on the applications we might use. > > For example, IE and Firefox support SPEGNO/GSSAPI, so enabled web > > applications may use this to authenticate the client without additional > > credentials. > > As long as you don't get tickets for your (windows) clients, this is out > of scope. > > cheers > Paul > > BTW: Does anyone know a site tracking security flaws for kernel 2.6 and > the relevant fixes? Have you tried kerneltrap.org? There's always securityfocus.com... Perhaps you're looking for is something different. If you find it, let me know. =) Thanks for the feedback, Paul! -- [email protected] mailing list
