1 |
On Friday 17 February 2006 03:35 pm, Paul Kölle wrote: |
2 |
> Robert Larson wrote: |
3 |
> > I have a system setup using OpenLDAP combined with Cyrus-SASL and Heimdal |
4 |
> > kerberos. I have tied samba into it, and will eventually setup samba-tng |
5 |
> > as an authentication head for samba. With samba, I may use NTLM |
6 |
> > authentication to include more options for SSO. |
7 |
> |
8 |
> Why do you need samba-tng? |
9 |
The first reason I will be going with TNG is to accommodate a growing network, |
10 |
essentially taking the task of serving files off of the same piece of |
11 |
software that authenticates all network NTLM requests. The second is |
12 |
security, I don't want any authentication to be performed on any hosts |
13 |
housing "user" services. |
14 |
|
15 |
I know that I could probably just use samba for this, but my understanding is |
16 |
that samba-tng aims to provide authentication mechanisms that are beyond the |
17 |
general samba file serving crowd. This excerpt from |
18 |
http://www.samba-tng.org/faq.html will support the general idea: |
19 |
|
20 |
"Samba-TNG is somewhat more advanced in terms of protocol support, although |
21 |
Samba is catching up and may be ahead in some areas. If you want an NT |
22 |
domain controller running with an LDAP backend, optionally integrated with |
23 |
your LDAP-based Unix user database, you probably want to use Samba-TNG. Samba |
24 |
has some experimental support for this, but Samba-TNG has had it working for |
25 |
much longer so it is more mature." |
26 |
|
27 |
> |
28 |
> > The way my setup works is samba has access to use LDAP for accounting and |
29 |
> > simple binds (over SSL/TLS). Unfortunately, samba doesn't support |
30 |
> > kerberos based authentication "(yet)". |
31 |
> |
32 |
> To be a bit more specific, samba(3) cannot hand tickets to windows |
33 |
> clients (yet) ;) |
34 |
Exactly, though, I haven't really looked into samba 4 yet. Hmm, it seems like |
35 |
that may be my answer to that problem... |
36 |
|
37 |
> |
38 |
> In this setup, the users sign on to their |
39 |
> |
40 |
> > desktop, and the same login is used to access network shares without |
41 |
> > prompt for another password (this happens by default on most windows |
42 |
> > desktops) using NTLM. |
43 |
> |
44 |
> So this is a normal windows domain with a samba PDC? |
45 |
Pretty much, although, it may be closer to a workgroup with one share machine |
46 |
(file server) performing NTLM based authentication. I tried to keep it |
47 |
simple, especially since not all of our clients are domain ready (only those |
48 |
utilizing XP home edition to name a few). |
49 |
|
50 |
> > Various applications using SPEGNO/GSSAPI can provide autologin |
51 |
> > functionality using this same login if we chose to implement something to |
52 |
> > that effect, but that depends entirely on the applications we might use. |
53 |
> > For example, IE and Firefox support SPEGNO/GSSAPI, so enabled web |
54 |
> > applications may use this to authenticate the client without additional |
55 |
> > credentials. |
56 |
> |
57 |
> As long as you don't get tickets for your (windows) clients, this is out |
58 |
> of scope. |
59 |
> |
60 |
> cheers |
61 |
> Paul |
62 |
> |
63 |
> BTW: Does anyone know a site tracking security flaws for kernel 2.6 and |
64 |
> the relevant fixes? |
65 |
Have you tried kerneltrap.org? There's always securityfocus.com... Perhaps |
66 |
you're looking for is something different. If you find it, let me know. =) |
67 |
|
68 |
Thanks for the feedback, Paul! |
69 |
|
70 |
-- |
71 |
gentoo-server@g.o mailing list |