Absolute Basic question Kerberos/LDAP - Networking

This is a discussion on Absolute Basic question Kerberos/LDAP - Networking ; Hello folks! As I am just setting up once again a Samba PDC, I was just once again confronted with Kerberos and LDAP as an authentication alternative to the samba-password file-method. once again i asked wikipedia about those service. once ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Absolute Basic question Kerberos/LDAP

  1. Absolute Basic question Kerberos/LDAP

    Hello folks!

    As I am just setting up once again a Samba PDC, I was just once again
    confronted with Kerberos and LDAP as an authentication alternative to the
    samba-password file-method.

    once again i asked wikipedia about those service.
    once again actually i did not really understand
    - what those services actually do - not as a theory, but what it means in
    practice!
    - what the difference between kerberos and ldap are and why they seem
    somehow to be linked with each other
    - if i would have any benefit from installing them on a server where i act
    as a pdc-fileserver.

    so please: could anybody provide me some VERY BASIC infos about what this is
    all about?

    thank you very much for every peace of info/advice

    tom

    --
    Help keep the usenet free!
    Use and/or support (e.g. by setting up an own server) the nonprofit
    open-news-network project:
    http://www.open-news-network.org/


  2. Re: Absolute Basic question Kerberos/LDAP

    Tom wrote:
    > Hello folks!
    >
    > As I am just setting up once again a Samba PDC, I was just once again
    > confronted with Kerberos and LDAP as an authentication alternative to
    > the samba-password file-method.
    >
    > once again i asked wikipedia about those service.
    > once again actually i did not really understand
    > - what those services actually do - not as a theory, but what it means
    > in practice!


    LDAP is a hierarchical database, usually called a directory. A
    directory is just like what it sounds. It's a phone book. It's a list
    of names and some info about the things that have those names. You need
    someplace to keep a list of your users, right?

    Kerberos is an authentication mechanism. Just because I might say I'm
    Abraham Lincoln doesn't mean I actually am Abraham Lincoln. If Abraham
    Lincoln is a valid user (say, because he's listed in the directory) and
    he has access to something (like a web service or a file service), that
    something should have a way to make me have to prove I'm Abraham Lincoln
    (which, of course, I should fail, since I'm not) then be able to make an
    access decision based on success or failure.

    > - what the difference between kerberos and ldap are and why they seem
    > somehow to be linked with each other


    They aren't necessarily linked. Kerberos needs a list of valid users
    and their passwords/certificates/whatever. It also needs a list of
    access-controlled services (the things that are going to ask you to
    authenticate before they let you in). It doesn't have to be LDAP, but
    LDAP is pretty handy, especially if you've got lots of users and/or lots
    of services. You can, of course, store other stuff in LDAP, too, like
    email addresses, phone numbers, and organizational info (the stuff LDAP
    was actually originally invented to store), but Kerberos doesn't care
    about those.

    > - if i would have any benefit from installing them on a server where i
    > act as a pdc-fileserver.


    Well, if you want to integrate with Windows systems (especially Win2k
    and later) or if you just want to Kerberize your file service, then
    AD-compatibility is a benefit.

    If you just want Kerberos, NFSv4 also supports Kerberos. (Actually
    NFSv4 *requires* an authentication mechanism, and most/all
    implementations use Kerberos as that mechanism. Theoretically NFSv4
    could use a mechanism that involves reciting secret chants and waving a
    rabbit's foot, but I'm not aware of any such implementations.) But most
    people use Samba instead of NFSv4 (conjecture based on perception, not
    assertion based on careful statistics), probably because there are more
    implementation notes/stories/howtos/etc. on it.

    If you just want a fileshare for UNIX/Linux and if NFSv3 and earlier
    satisfy all your needs, then there's no benefit to Samba and Kerberos.
    Just use NFSv3 or earlier. Many people do.

    > so please: could anybody provide me some VERY BASIC infos about what
    > this is all about?
    >
    > thank you very much for every peace of info/advice


  3. Re: Absolute Basic question Kerberos/LDAP

    Hello Allen!

    Thank you very much for your detailed infos! You helped me very much with
    that!
    Best regards
    Tom

    --
    Help keep the usenet free!
    Use and/or support (e.g. by setting up an own server) the nonprofit
    open-news-network project:
    http://www.open-news-network.org/


+ Reply to Thread