KFW with NT4 domain
Franco Milicchio
milicchio at wisc.edu
Fri Mar 4 16:43:39 EST 2005
Jeffrey Altman wrote:
> OpenAFS for Windows' Integrated Login behaves the same way. You will
> obtain an AFS token and not have any Kerberos 5 tickets in the logon
> session.
Perfect (*)
> I am a developer. You are a user. You read the documentation that
> I write to answer your questions. Otherwise, I have no time to develop
> the software. :)
Yes, but it's not so clear that the same things will work in a windows
domain.
> Part of the problem is that you are not asking the right question.
As I said, I'm trying to explain myself... just don't have experience on
the MS-side. I know I lack some terminology used in that world.
> The other part is that you are asking about the functionality of the
> OpenAFS for Windows Integrated Login even though you do not think you
> are. Please read the installation notes for OpenAFS for Windows.
> You might also consider searching the openafs-info mailing list
> archives.
The thing is that coming from linux, AFS and Kerberos are a well
separated thing, and I do kerberos authentication, in first and only
instance. The AFS token will be gained after a successful
authentication, having stored a kerberos credential.
> End user authentication to a Samba (NT4) PDC does not use Kerberos, it
> uses either plaintext passwords or NTLM.
I know kerberos is in AD, not available until samba 4. A long road.
> If you are configuring Samba
> to use PAM to validate the username/password combination, then you are
> using plaintext passwords. In other words, I can sniff the network and
> watch every username/password combination used on your Windows domain
> and there in your Kerberos realm. DO NOT DO THIS!!!
I'd like to avoid this. I know I can authenticate on a kerberos kdc
directly, but the user must exist locally. At least, that's what I
understand from MS documentation for kerberos interaction.
I have tried KFW with ksetup from MS. It works. Just create a matching
local user with the kerberos principal, you can leave the password
blank, and choose at the login window, to authenticate over the KDC, not
on windows. I can log in, gaining the ticket, correctly shown in kfw leash.
> In order to use NTLMv2, you must have a copy of the password database
> available to Samba.
That's a thing I don't know how it is possible. I can also say, don't
use kerberos for authentication, but at least, don't use plain text
passwords.
> If you want to use Kerberos to authenticate end users, then you must use
> Kerberos. Either deploy an Active Directory with a cross-realm trust
> to a non-AD KDC or deploy one of the AD workalikes. You can travel to
> the future and bring back a copy of Samba 4. That will do what you
> desire.
I don't have a time machine now, sorry :)
Again there's the fact that AD should be away from me. I know samba can
use ldap for authentication, but anyway, will the password run in plain
text? Hope not... AD and x-realms add layers, and adding things will
just result in more complexity and probable errors... That's why I'm
desperately trying to use samba as AFS gateway, along with kerberos. I
know there are projects like kSamba & co, but I'd like to stay with my
debian stable for server-side hosts.
It seems that there's really no way of avoiding AD, isn't it?
--
Franco Milicchio <mailto:milicchio at wisc.edu>
No keyboard found. Press F1 to continue...
(Almost every BIOS available in this world... even yours!)
More information about the Kerberos
mailing list