Re: [Samba] Samba and Kerberos V
On Wed, 2005-01-12 at 12:17 +0100, Jukka Salmi wrote: Andrew Bartlett -- samba (2005-01-12 21:52:48 +1100): On Tue, 2005-01-11 at 18:10 +0100, Jukka Salmi wrote: Gmes Gza -- samba (2005-01-10 21:29:44 +0100): I don't know anything about how Win clients authenticate, but I managed to configure a Win2k client to obtain a TGT from a Heimdal kdc during login. This is quite well documented somewhere on Microsoft's website. Would be great if this ticket allowed the client to access samba shares... I've posted a patch here a number of times that should allow that, however if you set 'security=ads' and 'kerberos use keytab=yes', it should work... Hmm, does this mean that with 'security=ads' and 'kerberos use keytab=yes' it should work _without_ the patch? Should, might. I've attached my proposed patch, it apparently even worked for someone... You will need to export the cifs/my.full.name principal into the keytab, plus any others that the client may want to use. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Kerberos V
On Tue, 2005-01-11 at 18:10 +0100, Jukka Salmi wrote: Gmes Gza -- samba (2005-01-10 21:29:44 +0100): I don't know anything about how Win clients authenticate, but I managed to configure a Win2k client to obtain a TGT from a Heimdal kdc during login. This is quite well documented somewhere on Microsoft's website. Would be great if this ticket allowed the client to access samba shares... I've posted a patch here a number of times that should allow that, however if you set 'security=ads' and 'kerberos use keytab=yes', it should work... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Teamhttp://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Kerberos V
Andrew Bartlett -- samba (2005-01-12 21:52:48 +1100): On Tue, 2005-01-11 at 18:10 +0100, Jukka Salmi wrote: Gémes Géza -- samba (2005-01-10 21:29:44 +0100): I don't know anything about how Win clients authenticate, but I managed to configure a Win2k client to obtain a TGT from a Heimdal kdc during login. This is quite well documented somewhere on Microsoft's website. Would be great if this ticket allowed the client to access samba shares... I've posted a patch here a number of times that should allow that, however if you set 'security=ads' and 'kerberos use keytab=yes', it should work... Hmm, does this mean that with 'security=ads' and 'kerberos use keytab=yes' it should work _without_ the patch? Regards, Jukka -- bashian roulette: $ ((RANDOM%6)) || rm -rf ~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Kerberos V
Gémes Géza -- samba (2005-01-10 21:29:44 +0100): [EMAIL PROTECTED] írta: On Mon, 10 Jan 2005, Jukka == Jukka Salmi wrote: Jukka Does Samba have native Kerberos V support, i.e. is it Jukka possible to authenticate against a (Heimdal, in our case) Jukka kdc? [...] I see this question pop up on this list every so often, but one thing I never see addressed is whether or not Samba can be used to autheticate to the localhost, which, using PAM, could then authenticate against Kerberos. Apache can do this, or use it's mod_auth_krb5 module. Why can't Samba do something similar? [...] What you are asking for is not possible, as long as: -Windows clients, and Samba server aren't configured to use plain text passwords (quite a bad idea IMHO). -Windows clients do not treat Samba as an Active Directory controler (see Samba4) which trust your MIT Kerberos server. -Windows clients aren't part of an Active Directory domain which trust your MIT Kerberos server. The problem is, that when Windows clients send the encrypted NT hashes to the Samba server, there is no way to get back the plaintext from it, and thus no possibility, to authenticate using that against Kerberos. I don't know too much about authenticating Windows workstations directly against MIT Kerberos, and have no idea, that in that condition the workstation attempt or not a Kerberos authentication, when trying to connect to Samba server. If no then you can't do anything :-(. If yes there would be a need for some patches to the winbind daemon which would allow it to authenticate against MIT Kerberos, instead of Active Directory (also Kerberos based). I don't know anything about how Win clients authenticate, but I managed to configure a Win2k client to obtain a TGT from a Heimdal kdc during login. This is quite well documented somewhere on Microsoft's website. Would be great if this ticket allowed the client to access samba shares... Cheers, Jukka -- bashian roulette: $ ((RANDOM%6)) || rm -rf ~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Kerberos V
I had just recently asked this question on this. I have pulled out the archive url for you. see if this helps. you can search the archive for the other related emails. http://lists.samba.org/archive/samba/2005-January/098189.html Ganesh On Mon, 10 Jan 2005 14:22:10 +0100, Jukka Salmi [EMAIL PROTECTED] wrote: Hi, this is possibly a FAQ, but I couldn't find an answer to it so far, neither in the Official HOWTO nor somewhere else. Does Samba have native Kerberos V support, i.e. is it possible to authenticate against a (Heimdal, in our case) kdc? Hints are appreciated! TIA, Jukka -- bashian roulette: $ ((RANDOM%6)) || rm -rf ~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Ganeshram Iyer 415 South Oak St #117 Arlington, TX, 76010 Ph (H) - 817-274-7827 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Kerberos V
On Mon, 10 Jan 2005, Jukka == Jukka Salmi wrote: Jukka Does Samba have native Kerberos V support, i.e. is it Jukka possible to authenticate against a (Heimdal, in our case) Jukka kdc? On Mon, 10 Jan 2005, Ganeshram == Ganeshram Iyer wrote: Ganeshram I had just recently asked this question on this. I see this question pop up on this list every so often, but one thing I never see addressed is whether or not Samba can be used to autheticate to the localhost, which, using PAM, could then authenticate against Kerberos. Apache can do this, or use it's mod_auth_krb5 module. Why can't Samba do something similar? People who have an existing MIT kerberos implementation aren't going to want to switch over to Heimdal. And storing kerberos data in LDAP just seems like an inherently bad idea to begin with. -- Seeya, Paul GPG Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE If you're not having fun, you're not doing it right! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Kerberos V
[EMAIL PROTECTED] rta: On Mon, 10 Jan 2005, Jukka == Jukka Salmi wrote: Jukka Does Samba have native Kerberos V support, i.e. is it Jukka possible to authenticate against a (Heimdal, in our case) Jukka kdc? On Mon, 10 Jan 2005, Ganeshram == Ganeshram Iyer wrote: Ganeshram I had just recently asked this question on this. I see this question pop up on this list every so often, but one thing I never see addressed is whether or not Samba can be used to autheticate to the localhost, which, using PAM, could then authenticate against Kerberos. Apache can do this, or use it's mod_auth_krb5 module. Why can't Samba do something similar? People who have an existing MIT kerberos implementation aren't going to want to switch over to Heimdal. And storing kerberos data in LDAP just seems like an inherently bad idea to begin with. What you are asking for is not possible, as long as: -Windows clients, and Samba server aren't configured to use plain text passwords (quite a bad idea IMHO). -Windows clients do not treat Samba as an Active Directory controler (see Samba4) which trust your MIT Kerberos server. -Windows clients aren't part of an Active Directory domain which trust your MIT Kerberos server. The problem is, that when Windows clients send the encrypted NT hashes to the Samba server, there is no way to get back the plaintext from it, and thus no possibility, to authenticate using that against Kerberos. I don't know too much about authenticating Windows workstations directly against MIT Kerberos, and have no idea, that in that condition the workstation attempt or not a Kerberos authentication, when trying to connect to Samba server. If no then you can't do anything :-(. If yes there would be a need for some patches to the winbind daemon which would allow it to authenticate against MIT Kerberos, instead of Active Directory (also Kerberos based). Cheers, Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
Andrew Bartlett rta: On Thu, 2004-10-21 at 06:46, Gmes Gza wrote: Matt Joyce rta: That's very easy to explain, because if you follow it you will have your kerberos using the Samba' MD4 password hash, and so all of your *nix and windows machine will use the same password. However as Samba3 is able to emulte an NT4 DC, Windows clients don't try, nor are succesfull in using kerberos against it. So you can have something like in the following ASCII graphic: Care to un-line wrap that and put it into the Wiki? Andrew Bartlett Attached is a reworked version. Looks right in vi, kwrite, gedit. Geza -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
On Thu, 2004-10-21 at 06:46, Gmes Gza wrote: Matt Joyce rta: That's very easy to explain, because if you follow it you will have your kerberos using the Samba' MD4 password hash, and so all of your *nix and windows machine will use the same password. However as Samba3 is able to emulte an NT4 DC, Windows clients don't try, nor are succesfull in using kerberos against it. So you can have something like in the following ASCII graphic: Care to un-line wrap that and put it into the Wiki? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Teamhttp://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
Hi, You can read more about it at: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap I would be very happy for any input and suggestions to the howto. Tarjei Now, assuming the worst and samba is incapable of handling kerberos tickets, and assuming i manage to handle tickets in ldap itself I can authenticate LDAP Sambe users of Kerberos without having to keep a synced password db correct? -Matt Cheers Geza yeah thats almost decent documentation for ldap + kerberos but says absolutley nothing about samba 3. That's very easy to explain, because if you follow it you will have your kerberos using the Samba' MD4 password hash, and so all of your *nix and windows machine will use the same password. However as Samba3 is able to emulte an NT4 DC, Windows clients don't try, nor are succesfull in using kerberos against it. So you can have something like in the following ASCII graphic: ___ ___ __ | | | | | | | || LDAP |--|Samba | | | |___| |__| | *nix| ^ ^ | client | ___|___ __ |___ | | | | | | | ||Heimdal | | Windows | |__| |__| | client | |__| Hope this helps to clarify the situation in a pre-Samba4 world. Cheers, Geza -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba Mob: 920 63 413 -- A Mathematician is a machine for turning coffee into theorems. - Paul Erdös -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + (LDAP + Kerberos V)
So like at least a handful of people before me I have begun the valiant stugle to unify logins at my place of business. I have setup a test LDAP + Kerberos V cluster. And I have Setup a test Samba 3 PDC. What I would like to do is get Samba to handle kerberos ticket granting and authentication to the (LDAP + Kerberos V) Directory. Such that Windows is completely unaware of the existence of Kerberos. And, also such that I don't have to keep samba domain passwords in ldap and sync them to kerberos in some sort of bizarre otherworldly failure in authentication unification. (Pardon my attempts at prose I am working on 3 hours of sleep) The question is really one of what you might suggest in terms of a design, particularly if you have tried and/or done this in the past. I have heard at least with samba 2 what I am trying is impossible. Not sure with Samba 3. I am wondering if the Active Directory support can be employed to my benefit in this manner. Now, assuming the worst and samba is incapable of handling kerberos tickets, and assuming i manage to handle tickets in ldap itself I can authenticate LDAP Sambe users of Kerberos without having to keep a synced password db correct? -Matt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
Matt Joyce írta: So like at least a handful of people before me I have begun the valiant stugle to unify logins at my place of business. I have setup a test LDAP + Kerberos V cluster. And I have Setup a test Samba 3 PDC. What I would like to do is get Samba to handle kerberos ticket granting and authentication to the (LDAP + Kerberos V) Directory. Such that Windows is completely unaware of the existence of Kerberos. And, also such that I don't have to keep samba domain passwords in ldap and sync them to kerberos in some sort of bizarre otherworldly failure in authentication unification. (Pardon my attempts at prose I am working on 3 hours of sleep) The question is really one of what you might suggest in terms of a design, particularly if you have tried and/or done this in the past. I have heard at least with samba 2 what I am trying is impossible. Not sure with Samba 3. I am wondering if the Active Directory support can be employed to my benefit in this manner. You can read more about it at: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Now, assuming the worst and samba is incapable of handling kerberos tickets, and assuming i manage to handle tickets in ldap itself I can authenticate LDAP Sambe users of Kerberos without having to keep a synced password db correct? -Matt Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
Matt Joyce írta: Gémes Géza wrote: Matt Joyce írta: So like at least a handful of people before me I have begun the valiant stugle to unify logins at my place of business. I have setup a test LDAP + Kerberos V cluster. And I have Setup a test Samba 3 PDC. What I would like to do is get Samba to handle kerberos ticket granting and authentication to the (LDAP + Kerberos V) Directory. Such that Windows is completely unaware of the existence of Kerberos. And, also such that I don't have to keep samba domain passwords in ldap and sync them to kerberos in some sort of bizarre otherworldly failure in authentication unification. (Pardon my attempts at prose I am working on 3 hours of sleep) The question is really one of what you might suggest in terms of a design, particularly if you have tried and/or done this in the past. I have heard at least with samba 2 what I am trying is impossible. Not sure with Samba 3. I am wondering if the Active Directory support can be employed to my benefit in this manner. You can read more about it at: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Now, assuming the worst and samba is incapable of handling kerberos tickets, and assuming i manage to handle tickets in ldap itself I can authenticate LDAP Sambe users of Kerberos without having to keep a synced password db correct? -Matt Cheers Geza yeah thats almost decent documentation for ldap + kerberos but says absolutley nothing about samba 3. That's very easy to explain, because if you follow it you will have your kerberos using the Samba' MD4 password hash, and so all of your *nix and windows machine will use the same password. However as Samba3 is able to emulte an NT4 DC, Windows clients don't try, nor are succesfull in using kerberos against it. So you can have something like in the following ASCII graphic: ___ ___ __ | | | | | | | || LDAP |--|Samba | | | |___| |__| | *nix| ^ ^ | client | ___|___ __ |___ | | | | | | | ||Heimdal | | Windows | |__| |__| | client | |__| Hope this helps to clarify the situation in a pre-Samba4 world. Cheers, Geza -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
