On Friday 17 February 2006 03:35 pm, Paul Kölle wrote:
> Robert Larson wrote:
> > I have a system setup using OpenLDAP combined with Cyrus-SASL and Heimdal
> > kerberos.  I have tied samba into it, and will eventually setup samba-tng
> > as an authentication head for samba.  With samba, I may use NTLM
> > authentication to include more options for SSO.
>
> Why do you need samba-tng?
The first reason I will be going with TNG is to accommodate a growing network, 
essentially taking the task of serving files off of the same piece of 
software that authenticates all network NTLM requests.  The second is 
security, I don't want any authentication to be performed on any hosts 
housing "user" services.

I know that I could probably just use samba for this, but my understanding is 
that samba-tng aims to provide authentication mechanisms that are beyond the 
general samba file serving crowd.  This excerpt from 
http://www.samba-tng.org/faq.html will support the general idea:

"Samba-TNG is somewhat more advanced in terms of protocol support, although 
Samba is catching up and may be ahead in some areas.  If you want an NT 
domain controller running with an LDAP backend, optionally integrated with 
your LDAP-based Unix user database, you probably want to use Samba-TNG. Samba 
has some experimental support for this, but Samba-TNG has had it working for 
much longer so it is more mature."

>
> > The way my setup works is samba has access to use LDAP for accounting and
> > simple binds (over SSL/TLS).  Unfortunately, samba doesn't support
> > kerberos based authentication "(yet)".
>
> To be a bit more specific, samba(3) cannot hand tickets to windows
> clients (yet) ;)
Exactly, though, I haven't really looked into samba 4 yet.  Hmm, it seems like 
that may be my answer to that problem...

>
> In this setup, the users sign on to their
>
> > desktop, and the same login is used to access network shares without
> > prompt for another password (this happens by default on most windows
> > desktops) using NTLM.
>
> So this is a normal windows domain with a samba PDC?
Pretty much, although, it may be closer to a workgroup with one share machine 
(file server) performing NTLM based authentication.  I tried to keep it 
simple, especially since not all of our clients are domain ready (only those 
utilizing XP home edition to name a few).

> > Various applications using SPEGNO/GSSAPI can provide autologin
> > functionality using this same login if we chose to implement something to
> > that effect, but that depends entirely on the applications we might use. 
> > For example, IE and Firefox support SPEGNO/GSSAPI, so enabled web
> > applications may use this to authenticate the client without additional
> > credentials.
>
> As long as you don't get tickets for your (windows) clients, this is out
> of scope.
>
> cheers
>  Paul
>
> BTW: Does anyone know a site tracking security flaws for kernel 2.6 and
> the relevant fixes?
Have you tried kerneltrap.org?  There's always securityfocus.com...  Perhaps 
you're looking for is something different.  If you find it, let me know. =)

Thanks for the feedback, Paul!

-- 
[email protected] mailing list

Reply via email to