RE: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP.

I came across some articles of people doing it that way. I didn't stop
to think about it, but it could work very well.
It's just another application into the picture we need to worry about.
Also Samba's vulnerability or security is not so good.
I will give it a try.

Franklyn Mendez


-----Original Message-----
From: Scott Grizzard [mailto:scott@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, June 23, 2009 11:25 AM
To: Mendez, Franklyn
Subject: Re: Authentication Windows client against Kerberos MIT and
authorizing against OpenLDAP.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have you tried using samba3 as an NT4 style domain controller with an
ldap backend?

It was messy, but I got it to work so the XP workstations authenticate
against the SambaPDC, and then used MIT Kerberos on the desktops to
authenticate to the KDC. Since both Samba and Kerberos were using the
same LDAP database, the user only had one password, and was
automatically logged in to the KDC once they signed on to the Windows
Domain.

- - Scott Grizzard
http://www.scottgrizzard.com
scott@xxxxxxxxxxxxxxxxx

Mendez, Franklyn wrote:
Hello all,



I am thinking of configuring our Windows XP Prof workstation to
authenticate against our Kerberos servers. I have so far configured
them
successfully though the use of ksetup.exe. I have mapped the user * to
*
and it works well authorizing these users that have already been
created
locally on the workstation. Ksetup can map 1 to 1 user and the use of
the wildcard * for all; obviously ksetup doesn't help me much in terms
of authorization.



My next step is using the Openldap to authorize them and better
control
who logs into what workstation and manage group memberships.



In my online searches I found a lot of third parties directory
services,
but many cost money. I want to use my existing LDAP setup.

We currently have Solaris, *nix, AIX and Red Hat Linux server being
authenticated and authorized by our KRB5 and LDAP DBs.



Have anyone done this before? can you guide me through the path?



Thank you in advance for your time and information,



Franklyn Mendez

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpA8+QACgkQARR1QiSWUG6o3wCgqs4OtWj7CMJNFGh4ciJP+oTd
39QAnA4XNDXn2DWd1kVarlHxxdc6tl9S
=eIOI
-----END PGP SIGNATURE-----

.

Relevant Pages

  • Re: Need help for AFS+K5+LDAP
    ... I'd suggest getting Kerberos authentication to work for local accounts ... And then try to get LDAP working. ... to enable getting AFS tokens at login, ... >> What I'd like to do is letting our users authenticate over mit kdc, ...
    (comp.unix.aix)
  • Re: MIT Kerberos LDAP backend
    ... not the KDC access to its data stored in LDAP that you are interested ... We do want to use the KDC, but for it to access our pre-existing data in LDAP, but not write anything there. ... However we have a long term plan of rolling out an SSO service, and thought Kerberos would be best suited as there seems to be many Kerberos aware systems, and we may in the long term be moving to Active Directory which I believe is Kerberos which would give us an even greater scope of using Kerberos including for system logins. ... So what we would have liked is for a web-based user to go to one of our web applications that requires authentication and for them to authenticate in a way that ends up with them having a valid Kerberos ticket somehow for other Kerberos aware applications, so they don't get asked for user/pass again in a session. ...
    (comp.protocols.kerberos)
  • Re: Kerberos Ldap Integration
    ... to this ldap fo picking up passwords and granting tickets. ... I am new to this kerberos and ldap. ... Do you mean using Kerberos to authenticate connections into LDAP? ...
    (comp.protocols.kerberos)
  • Re: Active Directory bind to 3rd party LDAP for authentication
    ... Since LDAP is not an authentication protocol, it would be helpful to know ... If you can use Kerberos, ... It might be possible to get AD to authenticate ... >> I have a standalone Active Directory in a test domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP.
    ... but I got it to work so the XP workstations authenticate ... same LDAP database, the user only had one password, and was ... I am thinking of configuring our Windows XP Prof workstation to ... and it works well authorizing these users that have already been created ...
    (comp.protocols.kerberos)