Re: Samba authentication to Kerberos via OpenLDAP, third and last try

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Friday 04 April 2008 20:33:29 Wes Modes wrote:

> > 3)You can have all your user and group information (including the samba
> > password hashes, samba group mappings etc.) in the OpenLDAP directory
> > server.
>
> Check.  This took some doing and the help of smbldap-tools, but I got
> there too.  I've set up the authentication connection between Samba and
> OpenLDAP, via smbldap-tools.  It works by adding new fields to the
> OpenLDAP schema specific to the needs of samba.  Then samba uses those
> OpenLDAP fields as a hashed password repository.
>
> The challenge is that these are two methods allow Samba to authenticate
> via OpenLDAP and allow OpenLDAP to authenticate via Kerberos, they are
> really intended for different purposes.

Practically speaking (ignoring the theory, and assuming you aren't going to be 
running samba4), there is only one way for samba to authenticate users from 
OpenLDAP, and that is by reading the Samba password hashes, which allows it 
to do NTLM challenge response authentication. There is no other way until 
Samba4 (AFAIK).


> > Thus far, there isn't really a means for you to authenticate access from
> > Windows clients accessing your samba server with the same credentials
> > that they use for (1) or (2).
> >
> > However, the "Active Directory Password Cache" overlay sitting in ITS may
> > help. Instead of (1), you may rather choose to use the adpwc overlay,
> > simple binds against the directory would first try and authenticate with
> > the password hash stored in the userPassword attribute in-directory. If
> > that fails, the overlay intercepts that, and tries a Kerberos
> > authentication with the principal stored in the krbPrincipalName
> > attribute. If this succeeds, the overlay hashes the password and stores
> > the has in the userPassword attribute, and hashes it with a
> > samba-compatible hash and stores the has in the sambaNTPassword
> > attribute.
> >
> > Now, authentications with the same password will not contact the KDC, and
> > samba should be able to authenticate the user with the hash in the
> > OpenLDAP directory.
> >
> > The inconvenience here is that if the password has changed on the KDC,
> > Samba won't get the new password until the directory server has seen a
> > simple bind with the new password. The inconvenience could be reduced by
> > putting in a simple web script allowing users to sync their passwords.
> >
> > The password expiry aspects also need some looking at ...
>
> There are a few new concepts here for me that I'll go away and learn
> something about, namely overlays.  And a sneaking worry that your
> mention of Active Directory might ice me out of the solution since I am
> running Samba on RHEL.

In the context of this module, "Active Directory" really means, a KDC which 
you don't control, but against which you want to validate passwords before 
caching them for simple binds and samba in your OpenLDAP directory, and also 
has nothing to do with what you are running on your side ... . It works 
perfectly with a Unix KDC (I tested with Heimdal).


Regards,
Buchan