Re: Samba authentication to Kerberos via OpenLDAP, third and last try - Kerberos

This is a discussion on Re: Samba authentication to Kerberos via OpenLDAP, third and last try - Kerberos ; Thanks, Sean. I've set up the OpenLDAP to Kerberos connection using Saslauthd and the {SASL}username@MYREALM.EDU. That part at least is indeed possible. I've also set up an authentication connection between Samba and OpenLDAP, via smbldap-tools. It works by adding new ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: Samba authentication to Kerberos via OpenLDAP, third and last try

  1. Re: Samba authentication to Kerberos via OpenLDAP, third and last try

    Thanks, Sean. I've set up the OpenLDAP to Kerberos connection using
    Saslauthd and the {SASL}username@MYREALM.EDU. That part at least is
    indeed possible.

    I've also set up an authentication connection between Samba and
    OpenLDAP, via smbldap-tools. It works by adding new fields to the
    OpenLDAP schema specific to the needs of samba. Then samba uses those
    OpenLDAP fields as a hashed password repository.

    The challenge is that these are two methods allow Samba to authenticate
    via OpenLDAP and allow OpenLDAP to authenticate via Kerberos, they are
    really intended for different purposes. In method one, samba is
    authenticating by comparing the passwords its getting to the OpenLDAP
    hashed repository. In method two, OpenLDAP is using saslauthd to
    authenticate against a Kerberos realm. They are two different
    mechanisms with two different security models.

    I know now that I can't just plug them in end-to-end and expect them to
    work. But I was hoping that experts on this and the OpenLDAP list would
    suggest creative solutions. I'm open to creative hacks and use contrary
    to labeling.

    For instance, when Samba goes to retrieve the hashed passwords stored in
    the OpenLDAP repository, to get access tot he OpenLDAP db, it
    authenticates via a rootdn with a password stored in a Samba db. On
    the OpenLDAP side, I imagine slapd can be configured to auth against
    Kerberos. Could I somehow pass the requesting Samba user and password
    (or a hash) as the rootdn and rootpw for authentication?

    I know this has drifted pretty far a field from a Kerberos question.
    But this list has been considerably more helpful than the lists
    purportedly dealing with Samba and OpenLDAP.

    W.

    Sean Myers wrote:
    > The discussions of the usefulness or wisdom of using LDAP as your authentication
    > front-end aside, what you're looking for is SASL authd support in OpenLDAP.
    >
    > Most of this is from memory and sparse on info, but at the very least it will
    > tell you that this is very likely possible as I understand your needs, and that
    > solutions do exist.
    >
    > Assuming you've built OpenLDAP with the --with-spasswd option, and that you've
    > got SASL installed with the GSSAPI plugin, you want to make sure you can auth to
    > Kerberos through the saslauthd server. Once that's done, setting a user's
    > password to {SASL}kerberosprincipal, will effectively have OpenLDAP check the
    > password via SASL. For example, my password in LDAP right now is
    > {SASL}smyers@AMERICANRI.COM.
    >
    > I have not used this mechanism in conjunction with Samba, which is why I say
    > that this is very likely possible, and not definitely possible.
    >
    > This is all OpenLDAP and SASL, though, not Kerberos. As such, I will gladly go
    > into more detail off list, and help where I can.
    >
    > --
    > Sean Myers
    > System Administrator
    > American Research Institute
    > (919) 228-4961
    >
    >
    > Wes Modes wrote:
    >
    >> I've asked a similar question on this list, the OpenLDAP list, and on
    >> the Samba list. And while this question has the least to do with
    >> Kerberos, I received the more helpful answers here. As I come to
    >> understand the software I'm dealing with, I can chisel down to the heart
    >> of what I need to know. I ask you to consider what I'm asking remotely
    >> possible, and then seek a solution. Consider this a challenge or a riddle.
    >>
    >> 1. I have an OpenLDAP directory server that I am using for user and
    >> group information. I would like to use it also to authenticate
    >> against. This way, whatever I hook up to it (Samba, webstuff, PHP
    >> apps, CMS) can both authenticate and authorize from one source.
    >> 2. There is a separate Kerberos server that has users' campus-wide
    >> passwords. I have access to it, but do not control it.
    >> 3. I have a separate linux file server running Samba. PCs and Macs
    >> will connect to it.
    >>
    >> I know I can do Kerberos authentication directly from Samba, but I'd
    >> prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve
    >> the problem once, rather than have to work out BOTH LDAP and Kerberos
    >> connections for every new authenticated service I add, and b) LDAP hooks
    >> are more common than Kerberos hooks for other services for which I will
    >> eventually want authentication and authroization. And yes, I know it
    >> breaks the Kerberos model.
    >>
    >> The question and the challenge: Any leads on how I might convince Samba
    >> to pass the input password on to OpenLDAP so that OpenLDAP can
    >> authenticate it against Kerberos?
    >>
    >> Wes
    >>
    >>

    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Wes Modes
    Server Administrator & Programmer Analyst
    McHenry Library
    Computing & Network Services
    Information and Technology Services
    459-5208

  2. Re: Samba authentication to Kerberos via OpenLDAP, third and lasttry

    Wes Modes wrote:
    > Thanks, Sean. I've set up the OpenLDAP to Kerberos connection using
    > Saslauthd and the {SASL}username@MYREALM.EDU. That part at least is
    > indeed possible.
    > [..]
    > I know now that I can't just plug them in end-to-end and expect them to
    > work. But I was hoping that experts on this and the OpenLDAP list would
    > suggest creative solutions. I'm open to creative hacks and use contrary
    > to labeling.


    Maybe you should think about why "creative hacks" are not a good idea
    and therefore the experts do not suggest any. Kerberos has a certain
    security model. For security reasons the TGT is not something which
    should be stored everywhere. I also consider the saslauthd hack with
    {SASL}username@MYREALM.EDU to be not acceptable.

    Ciao, Michael.

  3. Re: Samba authentication to Kerberos via OpenLDAP, third and last try

    Michael Ströder wrote:
    > Wes Modes wrote:
    >
    >> Thanks, Sean. I've set up the OpenLDAP to Kerberos connection using
    >> Saslauthd and the {SASL}username@MYREALM.EDU. That part at least is
    >> indeed possible.
    >> [..]
    >> I know now that I can't just plug them in end-to-end and expect them to
    >> work. But I was hoping that experts on this and the OpenLDAP list would
    >> suggest creative solutions. I'm open to creative hacks and use contrary
    >> to labeling.
    >>

    >
    > Maybe you should think about why "creative hacks" are not a good idea
    > and therefore the experts do not suggest any. Kerberos has a certain
    > security model. For security reasons the TGT is not something which
    > should be stored everywhere. I also consider the saslauthd hack with
    > {SASL}username@MYREALM.EDU to be not acceptable.
    >
    > Ciao, Michael.

    I've been a sysadmin since 1984, and while I hardly know everything (in
    fact, there are holes in my knowledge you could drive a fleet of trucks
    through), I am more than familiar with the reasons why creative hacks
    are problematic. However, not everyone is totally closed to creative
    solutions and looking beyond only the things they are familiar with.

    The sactamonious and arrogant attitude of list denizens towards people
    who do not already know everything there is to know about a subject, do
    nothing to make the development community more secure or more
    competent. In fact, it create a culture of hyper-criticism in which
    people are afraid to ask perfectly reasonable and important questions.

    Another more patient and creative list member, Buchan Milne, pointed me
    at the Active Directory Password Cache overlay for OpenLDAP, which seems
    to offer more or less what I'm trying to do. Thought you might be
    interested because it allows one to sync a Kerberos, OpenLDAP, and Samba
    passwords invisibly.

    Active Directory Password Cache
    ===============================


    Active Directory does not provide any means to read user credentials on any
    public API. It is possible, to install additional libraries as password sniffer to
    catch and forward cleartext passwords on changes. In case you cannot or simply
    dont want to install such libraries, the Active Directory Password Cache overlay
    is your option.

    The Active Directory Password Cache overlay allows to mirror user account
    credentials without any modification on the AD server. It only takes one
    occasional simple bind authentication against the OpenLDAP server.

    If the credential has not been mirrored yet, the overlay uses the
    krbPrincipalName
    and the password provided by the user to perform a Kerberos init against the
    Active Directory. A successful Kerberos init guarantees a correct password for
    this principal, and therefor the bind finally succeeds.

    Within this overlay operation, the password gets encrypted with the default
    OpenLDAP hash alorithm and stored as userPassword attribute. There is an option
    to update the sambaNTPassword also (using code borrowed from Howard Chu's
    smbk5pwd overlay). All following simple bind authentications will first try
    these cached credentials, making the OpenLDAP server independent from AD.

    In case the user changes its password on the Active Directory server, the old
    password stays valid in OpenLDAP until the user first presents the new password
    for an simple bind. Within this bind operation, the overlay performs another
    Kerberos init and updates the cached credentials in OpenLDAP.


    W.

    --

    Wes Modes
    Server Administrator & Programmer Analyst
    McHenry Library
    Computing & Network Services
    Information and Technology Services
    459-5208



  4. Re: Samba authentication to Kerberos via OpenLDAP, third and lasttry

    Wes Modes wrote:
    > Michael Ströder wrote:
    >>
    >> Maybe you should think about why "creative hacks" are not a good idea
    >> and therefore the experts do not suggest any. Kerberos has a certain
    >> security model. For security reasons the TGT is not something which
    >> should be stored everywhere. I also consider the saslauthd hack with
    >> {SASL}username@MYREALM.EDU to be not acceptable.

    >
    > The sactamonious and arrogant attitude of list denizens towards people
    > who do not already know everything there is to know about a subject, do
    > nothing to make the development community more secure or more
    > competent. In fact, it create a culture of hyper-criticism in which
    > people are afraid to ask perfectly reasonable and important questions.


    I whole-heartly agree. But funny that *you* mention that.

    Ciao, Michael.

+ Reply to Thread