s+c LDAP Authentication Package for the Microsoft Kerberos security support provider
Microsoft Windows® offers authentication against external Kerberos Realms for local users (Kerberos 5 Interoperability, krb5 1.0).
However, a network authentication protocol appears rather useless if it can only be applied local users.
The s+c Authentication Package SCAP is a security support provider for Microsoft Windows® XP workstations. SCAP provides LDAP support to windows XP by creating the necessary local user accounts on the fly. The actual authentication task is passed through to Microsoft's Kerberos SSP.
All examples assume workstations and servers in the example.com
DNS domain name. The Kerberos realm is named EXAMPLE.COM
,
the LDAP base DN is dc=example,dc=com
.
The windows XP client is named xp.exmaple.com
, the
kdc's are named kdc1.example.com
through
kdc3.example.com
, the kpasswd service runs on
kdc1.example.com
. The ldap servers are ldap1.example.com
through ldap3.example.com
.
The user is called johndoe
, the user's principal
johndoe@EXAMPLE.COM
and is assumed to already exist.
You must install and configure Microsoft's Kerberos 5 Interoperability Software. To do so, install the support tools from any Windows XP installation CD, choose a complete install.
Create a host principal on your UNIX KDC for your XP workstation:
kadmin> addprinc -e arcfour-hmac-md5:normal,des-cbc-md5:normal host/xp.example.com
enter a random password.
If your Kerberos V implementation does not support
arcfour-hmac-md5
, just use “-e
des-cbc-md5:normal
”
Configure Kerberos 5 Interoperability on your XP workstation according to http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EEAA
ksetup /SetRealm EXAMPLE.COM ksetup /AddKdc EXAMPLE.COM kdc1.example.com ksetup /AddKdc EXAMPLE.COM kdc2.example.com ksetup /AddKdc EXAMPLE.COM kdc3.example.com ksetup /AddKpasswd EXAMPLE.COM kdc1.example.com ksetup /MapUser * * ksetup /SetComputerPassword (random password from above)
Ensure the time of your XP workstation is in sync with the time of your KDCs.
Ensure the domain name of my computer
→
properties
→ computername
is
xp.example.com
.
Create a local user matching the existing Kerberos principal name
johndoe
.
Reboot.
Log on to the Kerberos realm EXAMPLE.COM
as johndoe
.
Currently there is no installer wizard available.
Simply copy sspap3.dll
to %SYSTEMROOT%\SYSTEM32
create the following key in the windows registry:
HKLM\Software\Science + Computing\scap
All of scap's configuration will be stored below this key.
Configure your LDAP base DN by creating this value:
basedn REG_SZ dc=example,dc=com
Define your LDAP Server(s) by creating this REG_SZ_MULTI value:
Servers REG_MULTISZ ldap1.example.com ldap2.example.com ldap3.example.com
To activate the SSP replace Kerberos by sspap3 in this registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa Security Packages REG_MULTI_SZ sspap3 msv1_0 schannel wdigest
Reboot your XP workstation.
Now any POSIX user in the LDAP registry that has a corresponding Kerberos principal should be able to log on.
Add the credentials used to bind for LDAP seaches to the following registry values:
binddn REG_SZ cn=nss,dc=example,dc=com binpasswd REG_SZ secret
The LDAP SSP sets the user's homepath according to one of the following attributes (highest precedence mentioned first):
the user's LDAP attribute sambaHomePath
(samba)
the user's LDAP attribute homeDirectory
(POSIX)
he modules registry value REG_SZ homepath
All occurences of „/
“ are replaces by „\
“
automatically, eg. homeDirectory=/home/johndoe
will
yield a homepath of „\home\johndoe
“.
The resulting string may be postprocessed with rules stored in
registry SZ_MULTI values named „homepathreplace(number)
“
If the first string of each SZ_MULTI value is matched on the left of the current homepath, the match will be replaced by the second string.
Applied to „\home\johndoe
“ the following
set of rules
REG_MULTI_SZ homepathreplace0 "\home\" "\\homeserver\homeshare\" REG_MULTI_SZ homepathreplace1 "\home2\" "\\homeserver\home2\"
will yield a homepath of „\\homeserver\homeshare\johndoe
“
If you use a logon script to connect the share holding all the homes to H: then use
REG_MULTI_SZ homepathreplace0 "\home\" "H:\"
which will result in H:\johndoe
.
The LDAP SSP sets the user's homedrive according one of the following attributes (highest precedence mentioned first):
the user's LDAP attribute sambaHomeDrive
(samba)
the modules registry value REG_SZ homedrive
There are no rewriting rules for home drive.
Use Home Drive if you connect a share holding exactly the user's home.
The LDAP SSP sets the path to the user's profile according one of the following attributes (highest precedence mentioned first):
the user's LDAP attribute sambaProfilePath
(samba)
if a home drive has been supplied in the previous section:
the modules registry value REG_SZ profilepath
with
the home drive prepended
the modules registry REG_SZ profilepath
appended
to the homepath from above, with postprocessing.
Postprocessing rules for case 3 work as with homepathreplacen
,
but are called profilerplacen
. There are no
rewriting rules for cases 1 or 2.
If the user has an LDAP attribute
sambaProfilePath=\\profileserver\profiles
then that is
used.
If instead the REG_SZ profilepath
has been set
to „\profiles
“, and a home drive „D:
“
has been supplied in the previous section, „D:\profiles
“
is used.
If neither sambaProfilePath
is defined in LDAP,
nor a home drive has been supplied, the homepath from above is used,
REG_SZ profilepath
is appended and postprocessing
applies.
Say homepath were \\homeserver\homepath\johndoe
,
profilepath
the empty string andprofilereplace0
SZ_MULTI „\\homeserver\homepath\“
„\\profileserver\profiles\“
the resulting
profile would be \\profileserver\profiles\johndoe
The LDAP SSP sets the path to the user's logon script according one of the following attributes (highest precedence mentioned first):
the user's LDAP attribute sambaLogonScript
(samba)
the modules registry value REG_SZ logonscript
The sources are in CVS. Modulename is "sc-ap".