Absolute Basic question Kerberos/LDAP

Hello folks!

As I am just setting up once again a Samba PDC, I was just once again
confronted with Kerberos and LDAP as an authentication alternative to the
samba-password file-method.

once again i asked wikipedia about those service.
once again actually i did not really understand
- what those services actually do - not as a theory, but what it means in
practice!
- what the difference between kerberos and ldap are and why they seem
somehow to be linked with each other
- if i would have any benefit from installing them on a server where i act
as a pdc-fileserver.

so please: could anybody provide me some VERY BASIC infos about what this is
all about?

thank you very much for every peace of info/advice

tom

--
Help keep the usenet free!
Use and/or support (e.g. by setting up an own server) the nonprofit
open-news-network project:
http://www.open-news-network.org/

Tom wrote:
> Hello folks!
>
> As I am just setting up once again a Samba PDC, I was just once again
> confronted with Kerberos and LDAP as an authentication alternative to
> the samba-password file-method.
>
> once again i asked wikipedia about those service.
> once again actually i did not really understand
> - what those services actually do - not as a theory, but what it means
> in practice!

LDAP is a hierarchical database, usually called a directory. A
directory is just like what it sounds. It's a phone book. It's a list
of names and some info about the things that have those names. You need
someplace to keep a list of your users, right?

Kerberos is an authentication mechanism. Just because I might say I'm
Abraham Lincoln doesn't mean I actually am Abraham Lincoln. If Abraham
Lincoln is a valid user (say, because he's listed in the directory) and
he has access to something (like a web service or a file service), that
something should have a way to make me have to prove I'm Abraham Lincoln
(which, of course, I should fail, since I'm not) then be able to make an
access decision based on success or failure.

> - what the difference between kerberos and ldap are and why they seem
> somehow to be linked with each other

They aren't necessarily linked. Kerberos needs a list of valid users
and their passwords/certificates/whatever. It also needs a list of
access-controlled services (the things that are going to ask you to
authenticate before they let you in). It doesn't have to be LDAP, but
LDAP is pretty handy, especially if you've got lots of users and/or lots
of services. You can, of course, store other stuff in LDAP, too, like
email addresses, phone numbers, and organizational info (the stuff LDAP
was actually originally invented to store), but Kerberos doesn't care
about those.

> - if i would have any benefit from installing them on a server where i
> act as a pdc-fileserver.

Well, if you want to integrate with Windows systems (especially Win2k
and later) or if you just want to Kerberize your file service, then
AD-compatibility is a benefit.

If you just want Kerberos, NFSv4 also supports Kerberos. (Actually
NFSv4 *requires* an authentication mechanism, and most/all
implementations use Kerberos as that mechanism. Theoretically NFSv4
could use a mechanism that involves reciting secret chants and waving a
rabbit's foot, but I'm not aware of any such implementations.) But most
people use Samba instead of NFSv4 (conjecture based on perception, not
assertion based on careful statistics), probably because there are more
implementation notes/stories/howtos/etc. on it.

If you just want a fileshare for UNIX/Linux and if NFSv3 and earlier
satisfy all your needs, then there's no benefit to Samba and Kerberos.
Just use NFSv3 or earlier. Many people do.

> so please: could anybody provide me some VERY BASIC infos about what
> this is all about?
>
> thank you very much for every peace of info/advice

Hello Allen!

Thank you very much for your detailed infos! You helped me very much with
that!
Best regards
Tom

--
Help keep the usenet free!
Use and/or support (e.g. by setting up an own server) the nonprofit
open-news-network project:
http://www.open-news-network.org/