From: Andrew Bartlett (abartlet at samba dot org)
Date: Thu Nov 04 2004 - 19:41:04 EST
On Thu, 2004-11-04 at 19:53, Morten Sylvest Olsen wrote:
> On Wed, 2004-11-03 at 23:30, Hannes Geissbuehler wrote:
> > Hi
> > is there any good documentation how to implement a sasl client which can
> > authenticate users with an active directory ?
> Not really, but it is not much different from using the GSSAPI mechanism
> with any kind of Kerberos KDC. There are many possibilities for errors
> and it can sometimes be hard to debug because of the many layers
> (Kerberos -> GSSAPI -> SASL).
Ahh, but it's only really fun when it's Kerberos -> GSSAPI -> SPNEGO ->
> After you have authenticated the user on the server side one can use
> LDAP calls to query the AD for more information including group
> membership. This is also included in the Microsoft PAC in the Kerberos
> ticket, but that is a bit hard to extract. (read: mostly undocumented,
> and the MS document which describes has a license which forbid you to
> use it)
That is no longer the case. partial documentation is public, but it's a
pain to get the PAC out of GSSAPI (Heimdal has a hook, I understand, but
Samba fakes it's own GSSAPI instead). Samba3 parses the PAC, and Samba4
has a good parser, and will shortly be able to verify the signatures.
> On the server side you need a host key which can be extracted using the
> ktpass utility from the resource kit. Or one can cheat using Samba 3 to
> join the domain getting the key as a side-effect.
If you are going to have Samba on the same server, then joining via
Samba is certainly the best way forward.
-- Andrew Bartlett abartlet at samba dot org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet at hawkerc dot net