Howard Chu wrote:
Wes Modes
wrote:
So far answers I've received about this have
been inconsistent at best
and downright inaccurate at worst. I'm going to try one more time and
see if, at the very least, someone can give me a lead. I ask you to
consider what I'm asking remotely possible, and then seek a solution.
(Particularly before one blasts off an ill-thought out message that
says
simple, "Can't be done," simple because you've never done it or haven't
heard of it being done.) So consider this a challenge or a riddle.
When you have no idea what's involved in what you're asking, you're in
no position to label a response as "ill-thought out."
Howard, with all respect. I only mention it because of earlier
experience with this list. No one here is unfamiliar with the
propensity of list denizens from firing off inaccurate or overreaching
responses. So far, I've received both, along with a few, "I don't know
the answer to your question, so I'll answer a different one." I
certainly don't know everything about OpenLDAP, but I can tell the
difference between a message fired off in haste and a thoughtful
response.
My lack of knowledge shouldn't be the barrier to my acquiring a greater
understanding of these systems. If the only people who feel safe and
confident enough to brave the hyper-critical keyboards of these
"expert" lists, then the people who need the most help aren't getting
it and only the people who need the least help have open access.
1. I have an OpenLDAP directory server
that I am using for user and
group information. I would like to use it also to authenticate
against. This way, whatever I hook up to it (Samba, webstuff, PHP
apps, CMS) can both authenticate and authorize from one source.
2. There is a separate Kerberos server that has users' campus-wide
passwords. I have access to it, but do not control it.
3. I have a separate linux file server running Samba. PCs and Macs
will connect to it.
I know I can do Kerberos authentication directly from Samba, but I'd
prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve
the problem once, rather than have to work out BOTH LDAP and Kerberos
connections for every new authenticated service I add, and b) LDAP
hooks
are more common than Kerberos hooks for other services for which I will
eventually want authentication and authroization. And yes, I know it
breaks the Kerberos model.
The question and the challenge: Any leads on how I might convince Samba
to pass the input password on to OpenLDAP so that OpenLDAP can
authenticate it against Kerberos?
Sounds like you're asking how to configure Samba. Try a Samba mailing
list.
Well, it seems that if I were to get what I'm looking for working, it
would involve some rather clever configuration of both OpenLDAP AND
Samba.
I was able to get OpenLDAP to authenticate via Kerberos, using
saslauthd and a {SASL}hash.
And I was able to get Samba to authenticate via OpenLDAP.
I know the mechanisms are different and can't merely be plugged in
end-to-end, but perhaps with all the big brain power of the Internet
that something would be possible.
As an initial hint - Windows clients authenticating to Samba will
generally have one of two choices - NTLM or Kerberos authentication.
For NTLM, the Samba server needs either the plaintext password or the
hashed equivalent (e.g., the value typically stored in sambaNTpassword
if Samba is using LDAP for password storage). Clearly if your
authentication database resides only in a Kerberos KDC, then this
option is unavailable to you.
Can that hashed password be passed on to Kerberos? Or can the password
databases in Kerberos and in OpenLDAP by synced?
Since that leaves Kerberos as your only choice, you should realize that
passwords are never sent between a client and a server when Kerberos
authentication is being used. So, there is no password for Samba to
pass to the LDAP server.
So, the short answer to your ill-thought out question: it can't be
done.
There are many ways to integrate Samba, Kerberos, and LDAP. The
scenario you propose isn't one of them.
I'm open to hearing about other models. My goal is a centralization of
both authorization AND authentication in a single OpenLDAP server.
W.
--
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208