Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP.

Mendez, Franklyn fmendez at qualitytech.com
Tue Jun 23 11:38:37 EDT 2009


I came across some articles of people doing it that way. I didn't stop
to think about it, but it could work very well.
It's just another application into the picture we need to worry about.
Also Samba's vulnerability or security is not so good.
I will give it a try. 

Franklyn Mendez 


-----Original Message-----
From: Scott Grizzard [mailto:scott at scottgrizzard.com] 
Sent: Tuesday, June 23, 2009 11:25 AM
To: Mendez, Franklyn
Subject: Re: Authentication Windows client against Kerberos MIT and
authorizing against OpenLDAP.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have you tried using samba3 as an NT4 style domain controller with an
ldap backend?

It was messy, but I got it to work so the XP workstations authenticate
against the SambaPDC, and then used MIT Kerberos on the desktops to
authenticate to the KDC.  Since both Samba and Kerberos were using the
same LDAP database, the user only had one password, and was
automatically logged in to the KDC once they signed on to the Windows
Domain.

- - Scott Grizzard
http://www.scottgrizzard.com
scott at scottgrizzard.com

Mendez, Franklyn wrote:
> Hello all,
> 
>  
> 
> I am thinking of configuring our Windows XP Prof workstation to
> authenticate against our Kerberos servers. I have so far configured
them
> successfully though the use of ksetup.exe. I have mapped the user * to
*
> and it works well authorizing these users that have already been
created
> locally on the workstation. Ksetup can map 1 to 1 user and the use of
> the wildcard * for all; obviously ksetup doesn't help me much in terms
> of authorization.
> 
>  
> 
> My next step is using the Openldap to authorize them and better
control
> who logs into what workstation and manage group memberships.
> 
>  
> 
> In my online searches I found a lot of third parties directory
services,
> but many cost money. I want to use my existing LDAP setup.
> 
> We currently have Solaris, *nix, AIX and Red Hat Linux server being
> authenticated and authorized by our KRB5 and LDAP DBs.
> 
>  
> 
> Have anyone done this before? can you guide me through the path?
> 
>  
> 
> Thank you in advance for your time and information,
> 
>  
> 
> Franklyn Mendez
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpA8+QACgkQARR1QiSWUG6o3wCgqs4OtWj7CMJNFGh4ciJP+oTd
39QAnA4XNDXn2DWd1kVarlHxxdc6tl9S
=eIOI
-----END PGP SIGNATURE-----




More information about the Kerberos mailing list