Samba 3.0 as NT4 PDC with MIT kerberos 1.3 (v5) for authentication? - SMB

This is a discussion on Samba 3.0 as NT4 PDC with MIT kerberos 1.3 (v5) for authentication? - SMB ; Hi All- I realize that I am perhaps posting in the wrong group, and I'll certainly try the kerberos lists/groups next, but I thought I'd start here since I just posted here recently with a slightly different set of questions. ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Samba 3.0 as NT4 PDC with MIT kerberos 1.3 (v5) for authentication?

  1. Samba 3.0 as NT4 PDC with MIT kerberos 1.3 (v5) for authentication?

    Hi All-

    I realize that I am perhaps posting in the wrong group, and I'll
    certainly try the kerberos lists/groups next, but I thought I'd start
    here since I just posted here recently with a slightly different set
    of questions.

    Previously, I asked if Samba 3.0 could be an Active Directory Domain
    Controller (ADDC). I haven't seen any replies yet, but I have the
    feeling that the answer is no. If so, then I have this other
    question:

    Can I use Samba as an NT4 PDC for making a Windows NT4 domain that
    would host several M$ Windows XPP client computers as domain
    clients/members, but have these client computers (and their users)
    actually do their authentication not against the PDC, but rather,
    against an MIT kerberos 1.3 (v5) Key Distribution Center (KDC) or
    kerberos server?

    I've now read one or two cases of educational institutions using
    similar arrangements, but in their circumstances, they often had a M$
    Windows 2000 Server machine that was the ADDC for a domain, then they
    established trust between the ADDC and their MIT kerberos v5 KDC, and
    then their client computers did pass-through authentication not
    against the ADDC, but rather, against the KDC. To be more specific,
    the client computers were domain members of a domain hosted by the
    ADDC (perhaps could also be an NT4 PDC?), and their authentication
    requests apparently did a pass-through of the ADDC and then were
    checked against the kerberos database on the KDC. If the
    authentication was successful, then the users ended up with a
    single-sign-on (SSO) onto their Win2k/WinXP boxes, got kerberos
    tickets for services from the KDC, and then obtained access to
    authorized services (apparently, services that were a part of the
    domain that they logged into, thus Samba would provide), and also
    (possibly) services that were made available by unix machines that
    were not necessarily a part of the ADDC (or NT4) domain, but that did
    have service principals in the kerberos database. Does that make
    sense?

    So, does anyone know if such a scheme would work with no ADDC (since I
    don't have and don't want a M$ server), but rather, with Samba 3.0
    acting as the PDC in an NT4 domain rather than an ADS domain? Since,
    as I said above, I get the impression that Samba 3.0 cannot be an
    ADDC, using it to provide an NT4 domain seems like the next best
    alternative---if it will work.

    Thanks in advance for any thoughts, suggestions, advice on whether
    this will or will not work and, if the former (it will work), then any
    tips/tricks or gotchas on actually implementing the plan.

    Thanks again, Samba Team, for your terrific suite of software! May it
    be the point of the stake in the heart of M$!!!

    -Jane

  2. Re: Samba 3.0 as NT4 PDC with MIT kerberos 1.3 (v5) for authentication?

    Jane Deer wrote:

    > Can I use Samba as an NT4 PDC for making a Windows NT4 domain that
    > would host several M$ Windows XPP client computers as domain
    > clients/members, but have these client computers (and their users)
    > actually do their authentication not against the PDC, but rather,
    > against an MIT kerberos 1.3 (v5) Key Distribution Center (KDC) or
    > kerberos server?



    This is pretty much the holy grail for our department, which would like
    to get out of the business of authenticating users (pass that through to
    the main campus KDCs) while maintaining administrative control and
    pushing roaming profiles to our windows workstations. We've got total
    windows lock-in on the desktop (a specific series of apps) and would
    like to achieve windows lock-out on the back end.

    However, from the best I can figure, Samba ain't there yet.

    1) Kerberos, the protocol, doesn't send passwords over the network.
    Samba 3.0 still requires a password hash to authenticate users. So
    forget about taking advantage improved security of Kerb.

    2) ..but that said, you'd need a way for smbd to compare it's password
    hash to a remote KDC. And while with PAM, you can allow shell access to
    a linux box after authenticatnig through a KDC, you can't get smbd to
    recognize that authentication.

    Please correct me if I'm mistaken.

    3) If roaming profiles aren't a concern, you can get something close-
    you can set your workstations to grant desktop sessions through a KDC-
    the kerberos user principal get on the computer, but with a profile
    mapped to a local account on the workstation.

    Use the ksetup.exe tool on the Windows 2K/XP setup disk. It should be in
    the support\tools folder-

    c:\ksetup /addkdc REALM.EXAMPLE.COM kdc1.example.com
    c:\ksetup /mapuser * "local_windows_account"

    At this point, Samba doesn't enter the equation, however. These windows
    workstations aren't on any domain. They'll need host principal in the
    Kerberos realm.

    What I haven't tested is this- could Samba 3.0 be told it's workgroup is
    "REALM.EXAMPLE.COM" so that ACLs on the samba share would pass through
    to the client? Does that seem possible?



    --
    -+ Ben Donnelly --------------------------------------------
    | System Administrator Nicholas School of the Environment
    | Duke University (919) 613-8128 www.env.duke.edu/it
    | A-138 LSRC Building Research Drive Durham, NC 27708
    -+------------------------------------------------------


+ Reply to Thread