[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)

2002-10-31 Thread Yongjun Rong 
Hi, Andrew, 
   Thank you very much for your answer.
   Now our case is as below:
   1, our client machine is the windows 2000 
   2, We want our Kerberos run in the Unix box.
   3, We also want the samba as PDC for all windows user and machine.
   4, We want integrate the Kerberos Authentication with samba authentication.
   So in this situation, can we get the kerberos login from the windows 2000 client 
because the windows 2000 is support kerberos authenctication. If it can, where can I 
start?
   I have already setup the environment for windows 2000 client auhtenticating 
himself to the Kerberos Realm in the Solaris and authenticate the samba domain user 
to the local windows 2k machine. But this two cases are seperated from each other 
which means the kerberos authentication use the kerberos password and samba PDC 
authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the 
kerberos user to the local or samba domain user and then do the authentication to 
the kerberos. So we really want is, when we do the samba PDC authentication we can 
use the kerberos password. I don't know if it right. PLS correct me .
  Thank you very much.
  John

 Original Message 
From:   Andrew Bartlett
Date:   Mon 10/28/02 17:24
To: Yongjun Rong
Cc: [EMAIL PROTECTED]
Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)

Yongjun Rong wrote:
 
 Hi, Andrew,
This is John from Texas Tech University.I have read your reply about samba and
 kerberos. May I ask you some question about samba and Kerberos.
1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
 as the authentication services and store samba user and passwd in the kerberos
 database directly but not using OpenLDAP?

If you can get the clients to send you a kerberos login without using
ADS, then the modification is realitivly simple, and is part of the work
towards an Active Directory replacement.

2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
 Where can start to change the source to enable the support for MIT or SEAM in
 solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
 have configure the samba as a PDC for my win2k client.

You can't do PDC stuff with this kind of setup, not until we get a *lot*
more Active Directory work done.

3, You said that samba should support the MIT kerberos. But not at this moment.
 Did it support keberos in the older version or not? which version? If it was not
 support. I wish I can do something for it.
Thank you very much for your help.
John.

In a very old version, we used the host keytab.  Now we use our own
secrets.tdb file, which we maintain.  This is becouse in an ADS
environment, we need to do both NT authentication and Kerberos.

Please put questions to the list, so that others may see the replies. 
CC me if you want me to actually read it however :-)

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba and Kerberos PDC(MIT or SEAM, without microsoft ADS)

2002-10-29 Thread Yongjun Rong 
Hi, Andrew,
   Thank you very much. I have read some information about the samba PDC kerberos 
authentication as below.

 Anyone worked with a combination of Samba (TNG, or 2.x) running as a PDC for
 a network of primarily NT workstations, with the passwords being
 authenticated back into a Kerberos IV database? or a Kerberos V?

 I'm trying to get this working so that I don't have to work with NT user
 accounts at my site, as I've got access to usernames and passwords through
 Kerberos.

If all you wanted was SMB sessions authenticated against Kerberos, that
wouldn't be too hard of a problem (although doing it Right might be another
matter).  But since you say you want this Samba machine to be a PDC, the
problem becomes much more difficult.

When a workstation authenticates to a PDC, it takes the password from the
user, encrypts it in NTLM format, and sends this (more or less securely) to
the server.  The server compares it with the NTLM-encrypted form of the
password that it has.

Kerberos, on the other hand, can be used for authentication in basically two
ways; one way (the preferred way for security) is third-party authentication
against the KDC.  Since this would require sending a Kerberos ticket across in
the SMB authentication sequence, it's pretty much out of the question, unless
you're prepared to modify the SMB support on all of your NT workstations.  The
other way to authenticate against a Kerberos database, the method used by PAM
modules and the like, is to pass the plaintext password to the server, and let
the server check if it can decrypt a TGT (ticket-granting-ticket) for the
user with the password it was given.

The problem then is, how do you get the cleartext password to the server?  If
you aren't using domain security, it can be done by turning on the cleartext
password option in your client registry; but with domain security, all you'll
ever get is the NTLM hash.

One option would be to use the NTLM hash as the key for encrypting user
tickets, instead of the plaintext password; but if your Kerberos database is
used for other things, then this isn't feasible either.

If you really need this to work, then you have three options...

1) back off the NT domain support, and do plaintext password authentication
against the Samba server (which will then authenticate against the KDC).  This
will cost you the security of the NT domain model.

2) use NTLM hashes in your KDC instead of plaintext passwords.  This will cost
you interoperability with existing Unix programs deployed on your network.

3) upgrade all of your NT workstations to Win2k.  God knows what /that/ will
cost you, and I'm not sure this would even work with Samba at this point.


   Can we get the NTLM hash from the windows client when the User login to the Samba 
PDC? And then in the samba ,  can we use the NTLM hash to simulate the kerberos 
tickets for the user and do the kerberos authentication for the user?
  Thank you very much.
  John
---
---
---
 Original Message 
From:   Andrew Bartlett
Date:   Mon 10/28/02 17:24
To: Yongjun Rong
Cc: [EMAIL PROTECTED]
Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)

Yongjun Rong wrote:
 
 Hi, Andrew,
This is John from Texas Tech University.I have read your reply about samba and
 kerberos. May I ask you some question about samba and Kerberos.
1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
 as the authentication services and store samba user and passwd in the kerberos
 database directly but not using OpenLDAP?

If you can get the clients to send you a kerberos login without using
ADS, then the modification is realitivly simple, and is part of the work
towards an Active Directory replacement.

2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
 Where can start to change the source to enable the support for MIT or SEAM in
 solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
 have configure the samba as a PDC for my win2k client.

You can't do PDC stuff with this kind of setup, not until we get a *lot*
more Active Directory work done.

3, You said that samba should support the MIT kerberos. But not at this moment.
 Did it support keberos in the older version or not? which version? If it was not
 support. I wish I can do something for it.
Thank you very much for your help.
John.

In a very old version, we used the host keytab.  Now we use our own
secrets.tdb file, which we maintain.  This is becouse in an ADS
environment, we need to do both NT authentication and Kerberos.

Please put questions to the list, so that others may see the replies. 
CC me if you want me