[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How can i integrate KERBEROS/LDAP for Windows password-hashs ?



Hi,

Tarjei Huse wrote:
> 
> Hi,
> 
> I haven't tried this, but have you looked at the Kerberos for Windows (KfW)
> package from MIT?

That's not what i really want.
I wanna have LDAP having control over
UNIX/Windows-passwords.
Windows itself won't know anything about KERBEROS.

It shall work like this.

Windows/UNIX 
logon/authetification
   |    ^
   |    |
   |> Samba <-
       |     |
       |-> LDAP  <------
            |           ^
            |> KERBEROS |
               Authentification

greets Harry
> Tarjei
> 
> Harry Rüter wrote:
> >
> > Hi people,
> >
> > i'm using LDAP/CYRUS-SASL/KERBEROS
> > for authentification of LINUX-users in my network
> > (posixAccount).
> >
> > I now wanna use this for sambaAccounts too, so that
> > the Windows-users use kerberized authentification too.
> >
> > I tried something like that (an example,anonymized ..) :
> > (My REALM here is XY.AB)
> > ---snipp---
> >
> > dn: uid=xy,...,dc=xy,dc=xy
> > logonTime: 0
> > displayName: admin
> > lmPassword: {KERBEROS}admin/lmpw@XY.AB
> > objectClass: sambaAccount
> > objectClass: posixAccount
> > primaryGroupID: 512
> > acctFlags: [UX         ]
> > userPassword:: {KERBEROS}admin@XY.AB
> > uid: admin
> > uidNumber: 1234
> > cn: admi
> > logoffTime: 2147483647
> > gidNumber: 100
> > kickoffTime: 2147483647
> > pwdLastSet: 1018479812
> > rid: 544
> > homeDirectory: /home/admin
> > pwdCanChange: 0
> > pwdMustChange: 2147483647
> > ntPassword: {KERBEROS}admin@XY.AB
> >
> > ---snipp---
> >
> > You see, i just tried to change the hashs for
> > ntPassword/lmPassword
> > into the kerberized schema. I made two new principals
> > for the Win-pw-hashs that shall hold
> > the passwords in future.
> >
> > This didn't work, although i used the original
> > hashs as password.
> >
> > I think i made a mistake doing it this way,
> > does anybody have any suggestions how to do it ?
> >
> > I have also a problem to include kpasswd into a script,
> > as it isn't possible to automize the password inputs.
> >
> > I tried to build a script,
> > here's an example for admin/lmpw@XY.AB :
> >
> > ---snipp---
> >
> > #!/bin/sh
> >
> > ./kpasswd admin/lmpw  << EOF
> > passphrase
> > AAD3B435B51404EEAAD3B435B51404EE
> > AAD3B435B51404EEAAD3B435B51404EE
> > EOF
> >
> > ---snipp---
> >
> > You see, the original hash from Windows shall be the new
> > password.
> >
> > But it doesn't work, as the output of it shows :
> >
> > ---snipp---
> >
> > 486dx66:/usr/local/kerberos/bin # ./mk
> > Password for admin/lmpw:
> > ./kpasswd: Inappropriate ioctl for device while reading
> > password
> > 486dx66:/usr/local/kerberos/bin #
> >
> > ---snipp---
> >
> > The program doesn't accept the way i wanna fill it with
> > information
> > from stdin, too bad.
> >
> > I will work on it , because i wanna have a solution
> > for my network, which should be a single-signon for
> > Win/LINUX-users using KERBEROS.
> >
> > It would be fine if someone had time for an answer
> > which gives me hints how to work on.
> >
> > Greetings from germany
> >
> > Harry
> >
> > PS: I used LDAPv3-HOWTO.html from Turbo Fredrikson
> >     ( http://www.bayour.com ) as guide how to work
> >     with  LDAP/KERBEROS/SASL.
> >     I just can recommend it to everyone.