| 1 |
On Friday 17 February 2006 03:35 pm, Paul Kölle wrote: |
| 2 |
> Robert Larson wrote: |
| 3 |
> > I have a system setup using OpenLDAP combined with Cyrus-SASL and Heimdal |
| 4 |
> > kerberos. I have tied samba into it, and will eventually setup samba-tng |
| 5 |
> > as an authentication head for samba. With samba, I may use NTLM |
| 6 |
> > authentication to include more options for SSO. |
| 7 |
> |
| 8 |
> Why do you need samba-tng? |
| 9 |
The first reason I will be going with TNG is to accommodate a growing network, |
| 10 |
essentially taking the task of serving files off of the same piece of |
| 11 |
software that authenticates all network NTLM requests. The second is |
| 12 |
security, I don't want any authentication to be performed on any hosts |
| 13 |
housing "user" services. |
| 14 |
|
| 15 |
I know that I could probably just use samba for this, but my understanding is |
| 16 |
that samba-tng aims to provide authentication mechanisms that are beyond the |
| 17 |
general samba file serving crowd. This excerpt from |
| 18 |
http://www.samba-tng.org/faq.html will support the general idea: |
| 19 |
|
| 20 |
"Samba-TNG is somewhat more advanced in terms of protocol support, although |
| 21 |
Samba is catching up and may be ahead in some areas. If you want an NT |
| 22 |
domain controller running with an LDAP backend, optionally integrated with |
| 23 |
your LDAP-based Unix user database, you probably want to use Samba-TNG. Samba |
| 24 |
has some experimental support for this, but Samba-TNG has had it working for |
| 25 |
much longer so it is more mature." |
| 26 |
|
| 27 |
> |
| 28 |
> > The way my setup works is samba has access to use LDAP for accounting and |
| 29 |
> > simple binds (over SSL/TLS). Unfortunately, samba doesn't support |
| 30 |
> > kerberos based authentication "(yet)". |
| 31 |
> |
| 32 |
> To be a bit more specific, samba(3) cannot hand tickets to windows |
| 33 |
> clients (yet) ;) |
| 34 |
Exactly, though, I haven't really looked into samba 4 yet. Hmm, it seems like |
| 35 |
that may be my answer to that problem... |
| 36 |
|
| 37 |
> |
| 38 |
> In this setup, the users sign on to their |
| 39 |
> |
| 40 |
> > desktop, and the same login is used to access network shares without |
| 41 |
> > prompt for another password (this happens by default on most windows |
| 42 |
> > desktops) using NTLM. |
| 43 |
> |
| 44 |
> So this is a normal windows domain with a samba PDC? |
| 45 |
Pretty much, although, it may be closer to a workgroup with one share machine |
| 46 |
(file server) performing NTLM based authentication. I tried to keep it |
| 47 |
simple, especially since not all of our clients are domain ready (only those |
| 48 |
utilizing XP home edition to name a few). |
| 49 |
|
| 50 |
> > Various applications using SPEGNO/GSSAPI can provide autologin |
| 51 |
> > functionality using this same login if we chose to implement something to |
| 52 |
> > that effect, but that depends entirely on the applications we might use. |
| 53 |
> > For example, IE and Firefox support SPEGNO/GSSAPI, so enabled web |
| 54 |
> > applications may use this to authenticate the client without additional |
| 55 |
> > credentials. |
| 56 |
> |
| 57 |
> As long as you don't get tickets for your (windows) clients, this is out |
| 58 |
> of scope. |
| 59 |
> |
| 60 |
> cheers |
| 61 |
> Paul |
| 62 |
> |
| 63 |
> BTW: Does anyone know a site tracking security flaws for kernel 2.6 and |
| 64 |
> the relevant fixes? |
| 65 |
Have you tried kerneltrap.org? There's always securityfocus.com... Perhaps |
| 66 |
you're looking for is something different. If you find it, let me know. =) |
| 67 |
|
| 68 |
Thanks for the feedback, Paul! |
| 69 |
|
| 70 |
-- |
| 71 |
gentoo-server@g.o mailing list |
Archives