Re: Samba authentication to Kerberos via OpenLDAP, third and last try
- From: Wes Modes <wmodes@xxxxxxxx>
- Date: Fri, 04 Apr 2008 11:33:38 -0700
Thanks, Sean. I've set up the OpenLDAP to Kerberos connection using Saslauthd and the {SASL}username@xxxxxxxxxxxx That part at least is indeed possible.
I've also set up an authentication connection between Samba and OpenLDAP, via smbldap-tools. It works by adding new fields to the OpenLDAP schema specific to the needs of samba. Then samba uses those OpenLDAP fields as a hashed password repository.
The challenge is that these are two methods allow Samba to authenticate via OpenLDAP and allow OpenLDAP to authenticate via Kerberos, they are really intended for different purposes. In method one, samba is authenticating by comparing the passwords its getting to the OpenLDAP hashed repository. In method two, OpenLDAP is using saslauthd to authenticate against a Kerberos realm. They are two different mechanisms with two different security models.
I know now that I can't just plug them in end-to-end and expect them to work. But I was hoping that experts on this and the OpenLDAP list would suggest creative solutions. I'm open to creative hacks and use contrary to labeling.
For instance, when Samba goes to retrieve the hashed passwords stored in the OpenLDAP repository, to get access tot he OpenLDAP db, it authenticates via a rootdn with a password stored in a Samba db. On the OpenLDAP side, I imagine slapd can be configured to auth against Kerberos. Could I somehow pass the requesting Samba user and password (or a hash) as the rootdn and rootpw for authentication?
I know this has drifted pretty far a field from a Kerberos question. But this list has been considerably more helpful than the lists purportedly dealing with Samba and OpenLDAP.
W.
Sean Myers wrote:
The discussions of the usefulness or wisdom of using LDAP as your authentication
front-end aside, what you're looking for is SASL authd support in OpenLDAP.
Most of this is from memory and sparse on info, but at the very least it will
tell you that this is very likely possible as I understand your needs, and that
solutions do exist.
Assuming you've built OpenLDAP with the --with-spasswd option, and that you've
got SASL installed with the GSSAPI plugin, you want to make sure you can auth to
Kerberos through the saslauthd server. Once that's done, setting a user's
password to {SASL}kerberosprincipal, will effectively have OpenLDAP check the
password via SASL. For example, my password in LDAP right now is
{SASL}smyers@xxxxxxxxxxxxxxx
I have not used this mechanism in conjunction with Samba, which is why I say
that this is very likely possible, and not definitely possible.
This is all OpenLDAP and SASL, though, not Kerberos. As such, I will gladly go
into more detail off list, and help where I can.
--
Sean Myers
System Administrator
American Research Institute
(919) 228-4961
Wes Modes wrote:
I've asked a similar question on this list, the OpenLDAP list, and on the Samba list. And while this question has the least to do with Kerberos, I received the more helpful answers here. As I come to understand the software I'm dealing with, I can chisel down to the heart of what I need to know. I ask you to consider what I'm asking remotely possible, and then seek a solution. Consider this a challenge or a riddle.________________________________________________
1. I have an OpenLDAP directory server that I am using for user and
group information. I would like to use it also to authenticate
against. This way, whatever I hook up to it (Samba, webstuff, PHP
apps, CMS) can both authenticate and authorize from one source. 2. There is a separate Kerberos server that has users' campus-wide
passwords. I have access to it, but do not control it.
3. I have a separate linux file server running Samba. PCs and Macs
will connect to it.
I know I can do Kerberos authentication directly from Samba, but I'd prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve the problem once, rather than have to work out BOTH LDAP and Kerberos connections for every new authenticated service I add, and b) LDAP hooks are more common than Kerberos hooks for other services for which I will eventually want authentication and authroization. And yes, I know it breaks the Kerberos model.
The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos?
Wes
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
.
- Follow-Ups:
- Re: Samba authentication to Kerberos via OpenLDAP, third and last try
- From: Michael Ströder
- Re: Samba authentication to Kerberos via OpenLDAP, third and last try
- Prev by Date: Re: Samba authentication to Kerberos via OpenLDAP, third and last try
- Next by Date: Re: Alternative UPN on Windows
- Previous by thread: Re: Samba authentication to Kerberos via OpenLDAP, third and last try
- Next by thread: Re: Samba authentication to Kerberos via OpenLDAP, third and last try
- Index(es):
Relevant Pages
|
|
