[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Samba authentication to Kerberos via OpenLDAP, third and last try

Wes Modes wrote:
So far answers I've received about this have been inconsistent at best
and downright inaccurate at worst. I'm going to try one more time and
see if, at the very least, someone can give me a lead. I ask you to
consider what I'm asking remotely possible, and then seek a solution.
(Particularly before one blasts off an ill-thought out message that says
simple, "Can't be done," simple because you've never done it or haven't
heard of it being done.) So consider this a challenge or a riddle.

When you have no idea what's involved in what you're asking, you're in no position to label a response as "ill-thought out."

   1. I have an OpenLDAP directory server that I am using for user and
      group information. I would like to use it also to authenticate
      against. This way, whatever I hook up to it (Samba, webstuff, PHP
      apps, CMS) can both authenticate and authorize from one source.
   2. There is a separate Kerberos server that has users' campus-wide
      passwords. I have access to it, but do not control it.
   3. I have a separate linux file server running Samba. PCs and Macs
      will connect to it.

I know I can do Kerberos authentication directly from Samba, but I'd
prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve
the problem once, rather than have to work out BOTH LDAP and Kerberos
connections for every new authenticated service I add, and b) LDAP hooks
are more common than Kerberos hooks for other services for which I will
eventually want authentication and authroization. And yes, I know it
breaks the Kerberos model.

The question and the challenge: Any leads on how I might convince Samba
to pass the input password on to OpenLDAP so that OpenLDAP can
authenticate it against Kerberos?

Sounds like you're asking how to configure Samba. Try a Samba mailing list.

As an initial hint - Windows clients authenticating to Samba will generally have one of two choices - NTLM or Kerberos authentication. For NTLM, the Samba server needs either the plaintext password or the hashed equivalent (e.g., the value typically stored in sambaNTpassword if Samba is using LDAP for password storage). Clearly if your authentication database resides only in a Kerberos KDC, then this option is unavailable to you.

Since that leaves Kerberos as your only choice, you should realize that passwords are never sent between a client and a server when Kerberos authentication is being used. So, there is no password for Samba to pass to the LDAP server.

So, the short answer to your ill-thought out question: it can't be done.

There are many ways to integrate Samba, Kerberos, and LDAP. The scenario you propose isn't one of them.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/