On Thu, 2008-04-03 at 14:02 -0700, Howard Chu wrote: > > Wes Modes wrote: > > The question and the challenge: Any leads on how I might convince Samba > > to pass the input password on to OpenLDAP so that OpenLDAP can > > authenticate it against Kerberos? > > Sounds like you're asking how to configure Samba. Try a Samba mailing list. > > As an initial hint - Windows clients authenticating to Samba will generally > have one of two choices - NTLM or Kerberos authentication. For NTLM, the Samba > server needs either the plaintext password or the hashed equivalent (e.g., the > value typically stored in sambaNTpassword if Samba is using LDAP for password > storage). Clearly if your authentication database resides only in a Kerberos > KDC, then this option is unavailable to you. Indeed, the flawed assumption here appears to be that Samba has some kind of password to pass on. NTLM is a challenge-response system, so arbitrarily passing the password on to anything that is not an NTLM server is simply not possible. > Since that leaves Kerberos as your only choice, you should realize that > passwords are never sent between a client and a server when Kerberos > authentication is being used. So, there is no password for Samba to pass to > the LDAP server. > > So, the short answer to your ill-thought out question: it can't be done. This is correct. Getting windows clients to use Kerberos (outside of an AD setup) is the challenge, and is beyond the scope of expertise on this list. If the KDC is an AD server, are your windows clients part of that AD domain? Then please look at the very standard ways this is handled. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
Description: This is a digitally signed message part