Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu 3 Apr 2008 5:00:36 pm Wes Modes wrote: > Volker Lendecke wrote: > > On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: > >> The question and the challenge: Any leads on how I might convince Samba > >> to pass the input password on to OpenLDAP so that OpenLDAP can > >> authenticate it against Kerberos? > > > > The only chance is that you modify each client's registry to > > send plain text passwords to the server over the network, > > downgrading your security to what telnet provided ages ago. > > You can guess that this is ABSOLUTELY NOT recommended. If > > you go with standard Windows authentication schemes, the > > SMB server never sees the user's plain text password which > > would be required to authenticate against Kerberos. > > > > Volker > > Yeah, I'm not so keen on sending plaintext passwords anywhere. > > It is already moderately-well documented how to connect Samba up to use > Kerberos authentication. And my guess is that the Kerberos model would > not allow passwords to be sent plaintext. More likely an encrypted hash > gets passed? I don't know the precise mechanism, but would like to. > > But beyond that, how could one use Samba to pass that encrypted password > to LDAP to pass on to Kerberos to authenticate? > Note: this is from my experience and research, both of which are extensive but probably wrong. I wanted to do a similar thing (poor-man's SSO). I believe the problem is twofold: 1) The client never actually sends the password. By default, it sends a response to a challenge from the server; the response is based on the password. So the password, in any form, never traverses the network unless you explicitly turn on that compatibility model. Samba can't forward what it doesn't have. 2) Using LDAP for authentication is...a hack, to put it bluntly. Everybody does it, but we probably shouldn't. The problem is that in either authentication scenario (bind against LDAP = Good! or query the tree for user/pw/group/etc) would require modifications to the LDAP server. It could accept the password, request a certificate and then store the token and return the "Correct" answer if the token is good and intentionally return an "incorrect" answer if the Kerb auth fails. Since you can't send passwords in plaintext for obvious reasons, a simple or complex way to do this escapes me. I assume that you're not doing domain logins. You could write a web interface or quick Java craplet (or a keylogger...) that takes a login from the user and captures their password. Then you can feed that to a process on the LDAP server which authenticates against kerberos; if the authentication succeeds, you dump the hashed/crypted version of the password into the LDAP directory for authentication use later. Convoluted, but you could make it work. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 02:00:36PM -0700, Wes Modes wrote: > It is already moderately-well documented how to connect Samba up to use > Kerberos authentication. And my guess is that the Kerberos model would > not allow passwords to be sent plaintext. More likely an encrypted hash > gets passed? I don't know the precise mechanism, but would like to. http://davenport.sourceforge.net/ntlm.html Enjoy. Volker pgpHv41tjZXZt.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? W. -- Wes Modes Server Administrator & Programmer Analyst McHenry Library Computing & Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: > The question and the challenge: Any leads on how I might convince Samba > to pass the input password on to OpenLDAP so that OpenLDAP can > authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker pgpSq2xFwlWvo.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
So far answers I've received on this list have been inconsistent at best and downright inaccurate at worst. I'm going to try one more time and see if, at the very least, someone can give me a lead. I ask you to consider what I'm asking remotely possible, and then seek a solution. (Particularly before one blasts off an ill-thought out message that says simple, "Can't be done," simple because you've never done it or haven't heard of it being done.) So consider this a challenge or a riddle. 1. I have an OpenLDAP directory server that I am using for user and group information. I would like to use it also to authenticate against. This way, whatever I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate and authorize from one source. 2. There is a separate Kerberos server that has users' campus-wide passwords. I have access to it, but do not control it. 3. I have a separate linux file server running Samba. PCs and Macs will connect to it. I know I can do Kerberos authentication directly from Samba, but I'd prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve the problem once, rather than have to work out BOTH LDAP and Kerberos connections for every new authenticated service I add, and b) LDAP hooks are more common than Kerberos hooks for other services for which I will eventually want authentication and authroization. And yes, I know it breaks the Kerberos model. The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? Wes -- Wes Modes Server Administrator & Programmer Analyst McHenry Library Computing & Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba