Hi, Andrew,
Thank you very much. I have read some information about the samba PDC kerberos
authentication as below.
Anyone worked with a combination of Samba (TNG, or 2.x) running as a PDC for
a network of primarily NT workstations, with the passwords being
authenticated back into a Kerberos IV database? or a Kerberos V?
I'm trying to get this working so that I don't have to work with NT user
accounts at my site, as I've got access to usernames and passwords through
Kerberos.
If all you wanted was SMB sessions authenticated against Kerberos, that
wouldn't be too hard of a problem (although doing it Right might be another
matter). But since you say you want this Samba machine to be a PDC, the
problem becomes much more difficult.
When a workstation authenticates to a PDC, it takes the password from the
user, encrypts it in NTLM format, and sends this (more or less securely) to
the server. The server compares it with the NTLM-encrypted form of the
password that it has.
Kerberos, on the other hand, can be used for authentication in basically two
ways; one way (the preferred way for security) is third-party authentication
against the KDC. Since this would require sending a Kerberos ticket across in
the SMB authentication sequence, it's pretty much out of the question, unless
you're prepared to modify the SMB support on all of your NT workstations. The
other way to authenticate against a Kerberos database, the method used by PAM
modules and the like, is to pass the plaintext password to the server, and let
the server check if it can decrypt a TGT (ticket-granting-ticket) for the
user with the password it was given.
The problem then is, how do you get the cleartext password to the server? If
you aren't using domain security, it can be done by turning on the cleartext
password option in your client registry; but with domain security, all you'll
ever get is the NTLM hash.
One option would be to use the NTLM hash as the key for encrypting user
tickets, instead of the plaintext password; but if your Kerberos database is
used for other things, then this isn't feasible either.
If you really need this to work, then you have three options...
1) back off the NT domain support, and do plaintext password authentication
against the Samba server (which will then authenticate against the KDC). This
will cost you the security of the NT domain model.
2) use NTLM hashes in your KDC instead of plaintext passwords. This will cost
you interoperability with existing Unix programs deployed on your network.
3) upgrade all of your NT workstations to Win2k. God knows what /that/ will
cost you, and I'm not sure this would even work with Samba at this point.
Can we get the NTLM hash from the windows client when the User login to the Samba
PDC? And then in the samba , can we use the NTLM hash to simulate the kerberos
tickets for the user and do the kerberos authentication for the user?
Thank you very much.
John
---
---
---
Original Message
From: Andrew Bartlett
Date: Mon 10/28/02 17:24
To: Yongjun Rong
Cc: [EMAIL PROTECTED]
Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
Yongjun Rong wrote:
Hi, Andrew,
This is John from Texas Tech University.I have read your reply about samba and
kerberos. May I ask you some question about samba and Kerberos.
1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
as the authentication services and store samba user and passwd in the kerberos
database directly but not using OpenLDAP?
If you can get the clients to send you a kerberos login without using
ADS, then the modification is realitivly simple, and is part of the work
towards an Active Directory replacement.
2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
Where can start to change the source to enable the support for MIT or SEAM in
solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
have configure the samba as a PDC for my win2k client.
You can't do PDC stuff with this kind of setup, not until we get a *lot*
more Active Directory work done.
3, You said that samba should support the MIT kerberos. But not at this moment.
Did it support keberos in the older version or not? which version? If it was not
support. I wish I can do something for it.
Thank you very much for your help.
John.
In a very old version, we used the host keytab. Now we use our own
secrets.tdb file, which we maintain. This is becouse in an ADS
environment, we need to do both NT authentication and Kerberos.
Please put questions to the list, so that others may see the replies.
CC me if you want me