KFW with NT4 domain

Franco Milicchio milicchio at wisc.edu
Fri Mar 4 16:43:39 EST 2005


Jeffrey Altman wrote:
> OpenAFS for Windows' Integrated Login behaves the same way.  You will
> obtain an AFS token and not have any Kerberos 5 tickets in the logon
> session.

Perfect (*)

> I am a developer.  You are a user.  You read the documentation that
> I write to answer your questions.  Otherwise, I have no time to develop
> the software. :)

Yes, but it's not so clear that the same things will work in a windows 
domain.

> Part of the problem is that you are not asking the right question.

As I said, I'm trying to explain myself... just don't have experience on 
the MS-side. I know I lack some terminology used in that world.

> The other part is that you are asking about the functionality of the
> OpenAFS for Windows Integrated Login even though you do not think you
> are.  Please read the installation notes for OpenAFS for Windows.
> You might also consider searching the openafs-info mailing list
> archives.

The thing is that coming from linux, AFS and Kerberos are a well 
separated thing, and I do kerberos authentication, in first and only 
instance. The AFS token will be gained after a successful 
authentication, having stored a kerberos credential.

> End user authentication to a Samba (NT4) PDC does not use Kerberos, it 
> uses either plaintext passwords or NTLM.

I know kerberos is in AD, not available until samba 4. A long road.

> If you are configuring Samba
> to use PAM to validate the username/password combination, then you are
> using plaintext passwords.  In other words, I can sniff the network and
> watch every username/password combination used on your Windows domain
> and there in your Kerberos realm.  DO NOT DO THIS!!!

I'd like to avoid this. I know I can authenticate on a kerberos kdc 
directly, but the user must exist locally. At least, that's what I 
understand from MS documentation for kerberos interaction.

I have tried KFW with ksetup from MS. It works. Just create a matching 
local user with the kerberos principal, you can leave the password 
blank, and choose at the login window, to authenticate over the KDC, not 
on windows. I can log in, gaining the ticket, correctly shown in kfw leash.

> In order to use NTLMv2, you must have a copy of the password database
> available to Samba.

That's a thing I don't know how it is possible. I can also say, don't 
use kerberos for authentication, but at least, don't use plain text 
passwords.

> If you want to use Kerberos to authenticate end users, then you must use
> Kerberos.  Either deploy an Active Directory with a cross-realm trust
> to a non-AD KDC or deploy one of the AD workalikes.  You can travel to
> the future and bring back a copy of Samba 4.  That will do what you
> desire.

I don't have a time machine now, sorry :)

Again there's the fact that AD should be away from me. I know samba can 
use ldap for authentication, but anyway, will the password run in plain 
text? Hope not... AD and x-realms add layers, and adding things will 
just result in more complexity and probable errors... That's why I'm 
desperately trying to use samba as AFS gateway, along with kerberos. I 
know there are projects like kSamba & co, but I'd like to stay with my 
debian stable for server-side hosts.

It seems that there's really no way of avoiding AD, isn't it?

-- 
Franco Milicchio <mailto:milicchio at wisc.edu>

No keyboard found. Press F1 to continue...
(Almost every BIOS available in this world... even yours!)


More information about the Kerberos mailing list