that interop mess: ldap, samba, kerberos

[Sam Hartman]

>>>>> "Turbo" == Turbo Fredriksson <turbo at bayour.com> writes:


    Turbo> Since I've separated AUTHENTICATION and AUTHORIZATION,
    Turbo> there's no need for an LDAP/slapd keytab...

Then you have a security hole.

Take a look at the following text from section 10 of RFc 4120:

   Proper decryption of an KRB_AS_REP message from the KDC is not
      sufficient for the host to verify the identity of the user; the user
         and an attacker could cooperate to generate a KRB_AS_REP format
            message that decrypts properly but is not from the proper KDC.  To
               authenticate a user logging on to a local system, the credentials
                  obtained in the AS exchange may first be used in a TGS exchange to
                     obtain credentials for a local server.  Those credentials must then
                        be verified by a local server through successful completion of the
                           Client/Server exchange.
                           


In particular just doing a kinit does not actually verify that the
password is correct; it simply verifies the passwords typed at the
command line and used by the server claiming to be the KDC are the
same.  You need a keytab to confirm the KDC is really a KDC.