[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos v5 release 1.1, OpenLDAP 1.2.8, and samba 2.1.0 as an NT Domain Controller

[Note: repliers to this message may want to trim the CC list to
avoid non-member bouncing by some mailing list managers (such
as those used by OpenLDAP)]

At 04:01 PM 12/13/99 -0700, Jeremy Jones wrote:
>How would a Kerberos KDC, an LDAP directory, and a Samba server interact
>with one another?
>1.  Could the KDC store it's database in the LDAP directory?

Could?  Yes
Should?  debatable

>2.  Could the LDAP directory require Kerberos v5 authentication before
>allowing a user/service access to the directory?

Yes.  Via LDAPv2 Kerberos bind mechanisms or via LDAPv3/SASL mechanisms.

>3.  Would a user first need a TGT, then request authentication from the
>samba server, which in turn would check the LDAP directory for a match?

Match?  Not sure what you mean here.

I would suggest that one authentication service be used and all
your various applications (LDAP, samba) use that service directly.
That is, if LDAP is using Kerberos authentication then so should

>Here's what I'd like to do...
>1. Conifgure OpenLDAP --with-krb5 so that a KDC authenticates connections to
>the LDAP directory.


>2. Configure Kerberos server --with-LDAP so that the Kerberos database is
>stored in the LDAP directoy, and kerb password changes, etc. are made to the
>LDAP directory (if that's what the --with-ldap option actually does for
>kerb1.1--if not, what does it do?)

Likely a bad idea.  For security reasons, it is wise to separate
public (or published) information from private (secret) information.
LDAP is well suited for publishing public information.  Kerberos is
well suited for keeping authentication secrets private.

>3. Configure samba as an NT domain controller --with-ldap and --with-krb5 so
>that NT clients are authenticated by the KDC and have their tickets, etc.
>stored in the LDAP directory.

It is wise to configure applications to avoid proxies.  If LDAP is
using Kerberos, than samba should directly use Kerberos if at all

>Is this a sensible thing to want to do?

Pick an authentication service and use it uniformily.  Avoid
authentication proxies.