-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Andrew Bartlett �rta: | On Mon, Apr 12, 2004 at 12:21:41PM +0200, G�mes G�za wrote: | |>-----BEGIN PGP SIGNED MESSAGE----- |>Hash: SHA1 |> |>Sensei �rta: |>| On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: |>| |>| |>|>Samba cannot use the kerberos tickets directly - not unless the KDC is |>|>Active Directory (for now). But it is possible for Samba to use the |>|>same password store. (For NTLM, but not kerberos passwords) |>|> |>|>What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP |>backend? |>| |>| |>| MIT K5. The passwords are stored only in the kerberos database. |>| |>| |>|>While the work is still new, there is support in Heimdal to read Samba |>|>password entries in LDAP. There is also an OpenLDAP plugin to set |>|>both Samba and Kerberos passwords on password change. |>|> |>|>You would need to manually edit your LDAP database, to expose the |>|>passwords in 'Samba' format - potentially a dump and restore of the |>|>Heimdal entries might do it, if the sambaSamAccount objectClass was |>|>added, and you used a current snapshot. |>| |>| |>| It would be nice to have just kerberos passwords. I've done this with |>| ldap (sasl gssapi authentication via k5) and afs (tokens are released on |>| ticket releasing). |>| |>| The main issue is the integrated windows login: a student must login, |>| gain tickets and token, and have his windows home dir set to what ldap |>| shows him: this means that afs must be enabled at boot. |>| |>| How would you do this? I don't have any clues... |>| |>I see a different solution here: |>User authenticate to a Samba controled Domain, and because Samba has the |>Kerberos password(=NTPassword hash) it could impersonate the user, |>accting to the AFS/Coda cell on behalf of her/him. In this way Samba |>could become a gateway between Windows clients and AFS/Coda servers. |>Unfortunatelly I don't know how could be that implemented. | | | See Volker's presentation to SambaXP, and the --with-fake-kaserver | option to Samba. |
Sorry for beeing so tenace on this (maybe unimportant) subject. But this is what I've understand about what fake-kaserver does:
___________ _____________ _____________ | | | | | | | Windows |--Kerberos-->| Samba |----------->| AFS | | client | auth | server | | cel | |_________| |___________| |___________| ~ ^ ~ | ~ | ~ | ~ | ~ | _____�______ | | | AD | | server | |__________|
But what I was thinking about would be:
___________ _____________ _____________
| | | | | Coda |
| Windows |----NTLM---->| Samba |----------->| or |
| client | auth | PDC | | AFS |
|_________| |_LDAP back_| |____cel____|
^
|
| getting ticket
| for
| Kerberos unaware clients
______�______
| |
| Heimdal |
| current |
|_LDAP back_|Thanks,
Geza -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAeuyY/PxuIn+i1pIRAqqkAJ4wt0jdJc+VXOZVUdW4N8WS9LFSXACgno2o 3Qpph07Ktocc5Y8bAJ7tjGk= =xsxF -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
