So far answers I've received about this have been inconsistent at best and downright inaccurate at worst. I'm going to try one more time and see if, at the very least, someone can give me a lead. I ask you to consider what I'm asking remotely possible, and then seek a solution. (Particularly before one blasts off an ill-thought out message that says simple, "Can't be done," simple because you've never done it or haven't heard of it being done.) So consider this a challenge or a riddle.
1. I have an OpenLDAP directory server that I am using for user and group information. I would like to use it also to authenticate against. This way, whatever I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate and authorize from one source. 2. There is a separate Kerberos server that has users' campus-wide passwords. I have access to it, but do not control it. 3. I have a separate linux file server running Samba. PCs and Macs will connect to it.
I know I can do Kerberos authentication directly from Samba, but I'd prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve the problem once, rather than have to work out BOTH LDAP and Kerberos connections for every new authenticated service I add, and b) LDAP hooks are more common than Kerberos hooks for other services for which I will eventually want authentication and authroization. And yes, I know it breaks the Kerberos model.
The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos?
Wes
Wes Modes wrote:
So far answers I've received about this have been inconsistent at best and downright inaccurate at worst. I'm going to try one more time and see if, at the very least, someone can give me a lead. I ask you to consider what I'm asking remotely possible, and then seek a solution. (Particularly before one blasts off an ill-thought out message that says simple, "Can't be done," simple because you've never done it or haven't heard of it being done.) So consider this a challenge or a riddle.
When you have no idea what's involved in what you're asking, you're in no position to label a response as "ill-thought out."
- I have an OpenLDAP directory server that I am using for user and group information. I would like to use it also to authenticate against. This way, whatever I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate and authorize from one source.
- There is a separate Kerberos server that has users' campus-wide passwords. I have access to it, but do not control it.
- I have a separate linux file server running Samba. PCs and Macs will connect to it.
I know I can do Kerberos authentication directly from Samba, but I'd prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve the problem once, rather than have to work out BOTH LDAP and Kerberos connections for every new authenticated service I add, and b) LDAP hooks are more common than Kerberos hooks for other services for which I will eventually want authentication and authroization. And yes, I know it breaks the Kerberos model.
The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos?
Sounds like you're asking how to configure Samba. Try a Samba mailing list.
As an initial hint - Windows clients authenticating to Samba will generally have one of two choices - NTLM or Kerberos authentication. For NTLM, the Samba server needs either the plaintext password or the hashed equivalent (e.g., the value typically stored in sambaNTpassword if Samba is using LDAP for password storage). Clearly if your authentication database resides only in a Kerberos KDC, then this option is unavailable to you.
Since that leaves Kerberos as your only choice, you should realize that passwords are never sent between a client and a server when Kerberos authentication is being used. So, there is no password for Samba to pass to the LDAP server.
So, the short answer to your ill-thought out question: it can't be done.
There are many ways to integrate Samba, Kerberos, and LDAP. The scenario you propose isn't one of them.
Howard Chu wrote:
Wes Modes wrote:
So far answers I've received about this have been inconsistent at best and downright inaccurate at worst. I'm going to try one more time and see if, at the very least, someone can give me a lead. I ask you to consider what I'm asking remotely possible, and then seek a solution. (Particularly before one blasts off an ill-thought out message that says simple, "Can't be done," simple because you've never done it or haven't heard of it being done.) So consider this a challenge or a riddle.
When you have no idea what's involved in what you're asking, you're in no position to label a response as "ill-thought out."
Howard, with all respect. I only mention it because of earlier experience with this list. No one here is unfamiliar with the propensity of list denizens from firing off inaccurate or overreaching responses. So far, I've received both, along with a few, "I don't know the answer to your question, so I'll answer a different one." I certainly don't know everything about OpenLDAP, but I can tell the difference between a message fired off in haste and a thoughtful response.
My lack of knowledge shouldn't be the barrier to my acquiring a greater understanding of these systems. If the only people who feel safe and confident enough to brave the hyper-critical keyboards of these "expert" lists, then the people who need the most help aren't getting it and only the people who need the least help have open access.
- I have an OpenLDAP directory server that I am using for user and group information. I would like to use it also to authenticate against. This way, whatever I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate and authorize from one source.
- There is a separate Kerberos server that has users' campus-wide passwords. I have access to it, but do not control it.
- I have a separate linux file server running Samba. PCs and Macs will connect to it.
I know I can do Kerberos authentication directly from Samba, but I'd prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve the problem once, rather than have to work out BOTH LDAP and Kerberos connections for every new authenticated service I add, and b) LDAP hooks are more common than Kerberos hooks for other services for which I will eventually want authentication and authroization. And yes, I know it breaks the Kerberos model.
The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos?
Sounds like you're asking how to configure Samba. Try a Samba mailing list.
Well, it seems that if I were to get what I'm looking for working, it would involve some rather clever configuration of both OpenLDAP AND Samba.
I was able to get OpenLDAP to authenticate via Kerberos, using saslauthd and a {SASL}hash.
And I was able to get Samba to authenticate via OpenLDAP.
I know the mechanisms are different and can't merely be plugged in end-to-end, but perhaps with all the big brain power of the Internet that something would be possible.
As an initial hint - Windows clients authenticating to Samba will generally have one of two choices - NTLM or Kerberos authentication. For NTLM, the Samba server needs either the plaintext password or the hashed equivalent (e.g., the value typically stored in sambaNTpassword if Samba is using LDAP for password storage). Clearly if your authentication database resides only in a Kerberos KDC, then this option is unavailable to you.
Can that hashed password be passed on to Kerberos? Or can the password databases in Kerberos and in OpenLDAP by synced?
Since that leaves Kerberos as your only choice, you should realize that passwords are never sent between a client and a server when Kerberos authentication is being used. So, there is no password for Samba to pass to the LDAP server.
So, the short answer to your ill-thought out question: it can't be done.
There are many ways to integrate Samba, Kerberos, and LDAP. The scenario you propose isn't one of them.
I'm open to hearing about other models. My goal is a centralization of both authorization AND authentication in a single OpenLDAP server.
W.
On Thu, 2008-04-03 at 14:02 -0700, Howard Chu wrote:
Wes Modes wrote:
The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos?
Sounds like you're asking how to configure Samba. Try a Samba mailing list.
As an initial hint - Windows clients authenticating to Samba will generally have one of two choices - NTLM or Kerberos authentication. For NTLM, the Samba server needs either the plaintext password or the hashed equivalent (e.g., the value typically stored in sambaNTpassword if Samba is using LDAP for password storage). Clearly if your authentication database resides only in a Kerberos KDC, then this option is unavailable to you.
Indeed, the flawed assumption here appears to be that Samba has some kind of password to pass on. NTLM is a challenge-response system, so arbitrarily passing the password on to anything that is not an NTLM server is simply not possible.
Since that leaves Kerberos as your only choice, you should realize that passwords are never sent between a client and a server when Kerberos authentication is being used. So, there is no password for Samba to pass to the LDAP server.
So, the short answer to your ill-thought out question: it can't be done.
This is correct. Getting windows clients to use Kerberos (outside of an AD setup) is the challenge, and is beyond the scope of expertise on this list.
If the KDC is an AD server, are your windows clients part of that AD domain? Then please look at the very standard ways this is handled.
Andrew Bartlett
On Thursday 03 April 2008 22:39:26 Wes Modes wrote:
So far answers I've received about this have been inconsistent at best and downright inaccurate at worst. I'm going to try one more time and see if, at the very least, someone can give me a lead. I ask you to consider what I'm asking remotely possible, and then seek a solution. (Particularly before one blasts off an ill-thought out message that says simple, "Can't be done," simple because you've never done it or haven't heard of it being done.) So consider this a challenge or a riddle.
- I have an OpenLDAP directory server that I am using for user and group information. I would like to use it also to authenticate against. This way, whatever I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate and authorize from one source.
- There is a separate Kerberos server that has users' campus-wide passwords. I have access to it, but do not control it.
- I have a separate linux file server running Samba. PCs and Macs will connect to it.
Let's ignore the solution you proposed, and look at what you *can* do.
1)You can have the OpenLDAP directory server authenticate simple binds against the KDC
2)You can (if your OpenLDAP directory server has appropriate service principals and their tickets or keytabs) authenticate LDAP access to your OpenLDAP directory server via Kerberos
3)You can have all your user and group information (including the samba password hashes, samba group mappings etc.) in the OpenLDAP directory server.
Thus far, there isn't really a means for you to authenticate access from Windows clients accessing your samba server with the same credentials that they use for (1) or (2).
However, the "Active Directory Password Cache" overlay sitting in ITS may help. Instead of (1), you may rather choose to use the adpwc overlay, simple binds against the directory would first try and authenticate with the password hash stored in the userPassword attribute in-directory. If that fails, the overlay intercepts that, and tries a Kerberos authentication with the principal stored in the krbPrincipalName attribute. If this succeeds, the overlay hashes the password and stores the has in the userPassword attribute, and hashes it with a samba-compatible hash and stores the has in the sambaNTPassword attribute.
Now, authentications with the same password will not contact the KDC, and samba should be able to authenticate the user with the hash in the OpenLDAP directory.
The inconvenience here is that if the password has changed on the KDC, Samba won't get the new password until the directory server has seen a simple bind with the new password. The inconvenience could be reduced by putting in a simple web script allowing users to sync their passwords.
The password expiry aspects also need some looking at ...
Regards, Buchan
Honestly, this is the closest response I've received to restating what I already know CAN be done, understanding what I was hoping for, and admitted any possibility of doing anything remotely similar.
Buchan Milne wrote:
On Thursday 03 April 2008 22:39:26 Wes Modes wrote:
So far answers I've received about this have been inconsistent at best and downright inaccurate at worst. I'm going to try one more time and see if, at the very least, someone can give me a lead. I ask you to consider what I'm asking remotely possible, and then seek a solution. (Particularly before one blasts off an ill-thought out message that says simple, "Can't be done," simple because you've never done it or haven't heard of it being done.) So consider this a challenge or a riddle.
- I have an OpenLDAP directory server that I am using for user and group information. I would like to use it also to authenticate against. This way, whatever I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate and authorize from one source.
- There is a separate Kerberos server that has users' campus-wide passwords. I have access to it, but do not control it.
- I have a separate linux file server running Samba. PCs and Macs will connect to it.
Let's ignore the solution you proposed, and look at what you *can* do.
1)You can have the OpenLDAP directory server authenticate simple binds against the KDC
Check. Got there pretty early.
2)You can (if your OpenLDAP directory server has appropriate service principals and their tickets or keytabs) authenticate LDAP access to your OpenLDAP directory server via Kerberos
Check. With some help, I got there. I've set up the OpenLDAP to Kerberos connection using Saslauthd and replacing the hashed userPassword field with {SASL}username@MYREALM.EDU.
3)You can have all your user and group information (including the samba password hashes, samba group mappings etc.) in the OpenLDAP directory server.
Check. This took some doing and the help of smbldap-tools, but I got there too. I've set up the authentication connection between Samba and OpenLDAP, via smbldap-tools. It works by adding new fields to the OpenLDAP schema specific to the needs of samba. Then samba uses those OpenLDAP fields as a hashed password repository.
The challenge is that these are two methods allow Samba to authenticate via OpenLDAP and allow OpenLDAP to authenticate via Kerberos, they are really intended for different purposes. In method one, samba is authenticating by comparing the passwords its getting to the OpenLDAP hashed repository. In method two, OpenLDAP is using saslauthd to authenticate against a Kerberos realm. They are two different mechanisms with two different security models.
I know now that I can't just plug them in end-to-end and expect them to work. But I was hoping that experts on this and the OpenLDAP list would suggest creative solutions. I'm open to creative hacks and use contrary to labeling.
Thus far, there isn't really a means for you to authenticate access from Windows clients accessing your samba server with the same credentials that they use for (1) or (2).
However, the "Active Directory Password Cache" overlay sitting in ITS may help. Instead of (1), you may rather choose to use the adpwc overlay, simple binds against the directory would first try and authenticate with the password hash stored in the userPassword attribute in-directory. If that fails, the overlay intercepts that, and tries a Kerberos authentication with the principal stored in the krbPrincipalName attribute. If this succeeds, the overlay hashes the password and stores the has in the userPassword attribute, and hashes it with a samba-compatible hash and stores the has in the sambaNTPassword attribute.
Now, authentications with the same password will not contact the KDC, and samba should be able to authenticate the user with the hash in the OpenLDAP directory.
The inconvenience here is that if the password has changed on the KDC, Samba won't get the new password until the directory server has seen a simple bind with the new password. The inconvenience could be reduced by putting in a simple web script allowing users to sync their passwords.
The password expiry aspects also need some looking at ...
There are a few new concepts here for me that I'll go away and learn something about, namely overlays. And a sneaking worry that your mention of Active Directory might ice me out of the solution since I am running Samba on RHEL.
Wes
On Friday 04 April 2008 20:33:29 Wes Modes wrote:
3)You can have all your user and group information (including the samba password hashes, samba group mappings etc.) in the OpenLDAP directory server.
Check. This took some doing and the help of smbldap-tools, but I got there too. I've set up the authentication connection between Samba and OpenLDAP, via smbldap-tools. It works by adding new fields to the OpenLDAP schema specific to the needs of samba. Then samba uses those OpenLDAP fields as a hashed password repository.
The challenge is that these are two methods allow Samba to authenticate via OpenLDAP and allow OpenLDAP to authenticate via Kerberos, they are really intended for different purposes.
Practically speaking (ignoring the theory, and assuming you aren't going to be running samba4), there is only one way for samba to authenticate users from OpenLDAP, and that is by reading the Samba password hashes, which allows it to do NTLM challenge response authentication. There is no other way until Samba4 (AFAIK).
Thus far, there isn't really a means for you to authenticate access from Windows clients accessing your samba server with the same credentials that they use for (1) or (2).
However, the "Active Directory Password Cache" overlay sitting in ITS may help. Instead of (1), you may rather choose to use the adpwc overlay, simple binds against the directory would first try and authenticate with the password hash stored in the userPassword attribute in-directory. If that fails, the overlay intercepts that, and tries a Kerberos authentication with the principal stored in the krbPrincipalName attribute. If this succeeds, the overlay hashes the password and stores the has in the userPassword attribute, and hashes it with a samba-compatible hash and stores the has in the sambaNTPassword attribute.
Now, authentications with the same password will not contact the KDC, and samba should be able to authenticate the user with the hash in the OpenLDAP directory.
The inconvenience here is that if the password has changed on the KDC, Samba won't get the new password until the directory server has seen a simple bind with the new password. The inconvenience could be reduced by putting in a simple web script allowing users to sync their passwords.
The password expiry aspects also need some looking at ...
There are a few new concepts here for me that I'll go away and learn something about, namely overlays. And a sneaking worry that your mention of Active Directory might ice me out of the solution since I am running Samba on RHEL.
In the context of this module, "Active Directory" really means, a KDC which you don't control, but against which you want to validate passwords before caching them for simple binds and samba in your OpenLDAP directory, and also has nothing to do with what you are running on your side ... . It works perfectly with a Unix KDC (I tested with Heimdal).
Regards, Buchan
openldap-technical@openldap.org
-
Andrew Bartlett -
Buchan Milne -
Howard Chu -
Wes Modes