Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)
A few more questions and comments... related to this topic If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a password in the LDAP tree.. just the principal for the user in the userpassword attribute: userpassword = {kerberos}name@domain in the smb.conf file do I need stuff like this? Unix password sync = yes passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u in this program synchronize-kerb-smb %u is the username and comes in as an argument, then request the password and read it in from STDIN.. ... then run a smbpasswd %u feeding the password.. and then get a valid user/admin ticket using kinit for an account validated by a keytab .. then run kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos this has the potential to work(I think)but... im missing a few parts.. can a script like this synchronize passwords when they are forced to change their password at the client level.. say expire the users password? And what happens if they change there password using kpassword.. that has the potential to unsyncronize the passwords.. Also.. what about the adding machines trusts to the samba domain?.. I've seen where people use the: add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s /bin/false $m$ is there any way to change the LDAP suffix before adding a machine to the LDAP tree?.. In my current setup I have all users in an ou=people area.. and so my LDAP suffix = ou=people, dc=domain.. but I don't want to add machines to this container.. I would rather put them in something like ou=hosts, dc=domain.. I have many more questions but don't want to change the topic too much... Jonathan Higgins Network Service Specialist IV [EMAIL PROTECTED] Yura Pismerov [EMAIL PROTECTED] 10/31/02 07:38PM Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup,
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)
Jonathan Higgins wrote: A few more questions and comments... related to this topic If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a password in the LDAP tree.. just the principal for the user in the userpassword attribute: userpassword = {kerberos}name@domain That is correct. I did not mean sync between Kerberos and LDAP, I mean sync between Kerberos and Samba passwords stored in LDAP. in the smb.conf file do I need stuff like this? Unix password sync = yes passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u Yes. in this program synchronize-kerb-smb %u is the username and comes in as an argument, then request the password and read it in from STDIN.. ... then run a smbpasswd %u feeding the password.. and then get a valid user/admin ticket using kinit for an account validated by a keytab .. then run kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos Easier (not yet more secure though) way is creating a separate Kerberos principal with permissions for password change, saving the key (with ktadd -k file) in separate keytab and using the key with kadmin -k -t /path/keytab -p principal_name. Then cpw user@DOMAIN will change password for the user. The cpw command can be passed to kadmin via expect script or via STDIN (less secure though). this has the potential to work(I think)but... im missing a few parts.. can a script like this synchronize passwords when they are forced to change their password at the client level.. say expire the users password? And what happens if they change there Kerberos has his own password expiration mechanizm. You can write a script tha will scan prinipals in KDC, extract password expire dates and compare it with current date. Then, let's say 5 days before the expiration, it can start sending notifications to users. The warning message can contain a link to a webpage for the password change. password using kpassword.. that has the potential to unsyncronize the passwords.. Yes, if user changes password with kpassword, there is no way to synchronize it with Samba password. So users must be instructed to use either standard Windows way to change the passwords, or a webpage. The CGI script will take care of changing passwords in Kerberos and Samba (via smbldap utilities, for example) realms. Also.. what about the adding machines trusts to the samba domain?.. I've seen where people use the: add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s /bin/false $m$ is there any way to change the LDAP suffix before adding a machine to the LDAP tree?.. In my current setup I have all users in an ou=people area.. and so my LDAP suffix = ou=people, dc=domain.. but I don't want to add machines to this container.. I would rather put them in something like ou=hosts, dc=domain.. Yes, you can do it with the mentioned smbldap scripts where People and Computers DNs can be configured. Then you use add user script=/path/smbldap-useradd.pl -w %m$ I have many more questions but don't want to change the topic too much... :) Jonathan Higgins Network Service Specialist IV [EMAIL PROTECTED] Yura Pismerov [EMAIL PROTECTED] 10/31/02 07:38PM Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I
[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done. 3, You said that samba should support the MIT kerberos. But not at this moment. Did it support keberos in the older version or not? which version? If it was not support. I wish I can do something for it. Thank you very much for your help. John. In a very old version, we used the host keytab. Now we use our own secrets.tdb file, which we maintain. This is becouse in an ADS environment, we need to do both NT authentication and Kerberos. Please put questions to the list, so that others may see the replies. CC me if you want me to actually read it however :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done. 3, You said that samba should support the MIT kerberos. But not at this moment. Did it support keberos in the older version or not? which version? If it was not support. I wish I can do something for it. Thank you very much for your help. John. In a very old version, we used the host keytab. Now we use our own secrets.tdb file, which we maintain. This is becouse in an ADS environment, we need to do both NT authentication and Kerberos. Please put questions to the list, so that others may see the replies. CC me if you want me to actually read it however :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba