Hi all,

I was wondering if it is possible when SAMBA is configured with LDAP
as authentication backend and ESOE is configured with LDAP as
authentication source the SAMBA session is available in ESOE.
This connection is great because when as user logs in to the PDC the
user is also connected to the applications that are connected to ESOE
like blackboard, Google Apps, or OpenID or some other application.

Greets Martijn.

Hi,

We already have an authentication mechanism in place which allows ESOE
to integrate with a domain controller setup provided by Windows servers
which we've documented here:
http://esoeproject.org/confluence/display/eu/ESOE+to+Active+Directory...

Essentially this allows a user to login to their workstation of a
morning and automatically be provided access to ESOE services we call
this "true single sign on" and the clients we have who've deployed it
really love it. In the back end there is a bunch of SPNEGO ticket
validation going on.

Does the Samba PDC provide the SPNEGO type functionality? If so it may
not be much effort to test an ESOE setup against a Samba PDC and
validate this works.

I hope I've interpreted your query below correctly, please correct me if
I've totally misread your requirements :).

regards,
Bradley
--
Bradley Beddoes
Lead Software Architect
Intient Pty Ltd

Join me on LinkedIn: http://www.linkedin.com/in/beddoes

Martijn van der Plaat wrote:

Hi Bradley,

At the moment i don't have much pratical experience with Samba. I dont
really understand the function of SPNEGO.
I know that SAMBA can be configured with LDAP as backend. On the ESOE
website i saw the graphical picture with LDAP as a possible solution
beside the Windows Login service (that is i think the Active Directory
integration you mean).

So the trick lays in the LDAP session? If that LDAP connection to ESOE
in the picture means that the LDAP session can be integrated in ESOE
it would be great. But again i don't fully understand how things
work.
Maybe you can tell how to do this? I want to take effort in realising
this SAMBA-ESOE connection.

Greets.

Martijn van der Plaat

On 1 jun, 08:13, Bradley Beddoes <bedd...@intient.com> wrote:

Samba have a setting  "SPNEGO=yes" but Samba use this SMB signing to
join a Windows Domain Controller.
Maybe this helps you?

Greets Martijn

On 1 jun, 18:37, Martijn van der Plaat <martijnpl...@gmail.com> wrote:

Hello,

Martijn van der Plaat wrote:

This wikipedia article and associated (linked) RFC's etc may be of
assistance to you http://en.wikipedia.org/wiki/SPNEGO

Essentially your looking at either using native LDAP integration or
SPNEGO support (you can use both in sequence, if ESOE detects no SPNEGO
support it will fall through to native LDAP support with an associated
web form).

Basically you'd want to configure your PDC and the ESOE to utilize the
same LDAP server for authentication. When a user logs into their
workstation their credentials will ultimately be validated against this
LDAP server. Once this is completed (assuming Samba support for SPNEGO
is a go) their Windows machines will have access to tokens which ESOE
(also configured to talk to your PDC) can accept and validate.

For users not logged into the domain (off site for example) they will be
presented with a web form to enter their credentials for initial
authentication, this will be validated directly against your LDAP server
(no PDC involvement at all here).

By going with this approach you only have a single store of
users/credentials and for end users this means the same
username/password to access their workstations and web tier content.

The next step is probably to figure out just what level of SPNEGO
support a SAMBA PDC exports, if it can give everything we require on the
previous configuration URL i sent you then its probably good to go.

regards,
Bradley

--
Bradley Beddoes
Lead Software Architect
Intient Pty Ltd

Join me on LinkedIn: http://www.linkedin.com/in/beddoes

Hi,

I did some little research and now i understand that SPNEGO helps the
client and server to negotiate which mechanism to choose like
Kerberos. I found in the source code of Samba the spnego.c file and it
tells me that they use a RFC2478 Compliant SPNEGO implementation. With
functions like:
read_negTokenInit, write_negTokenInit  to initiate
and read_negTokenTarg, write_negTokenTarg to talk after the init.
But i don't know if it is a problem for ESOE that the SPNEGO function
in samba is used to communicate with an Windows AD.

Greets Martijn.

The C file :

/*
   Unix SMB/CIFS implementation.

   RFC2478 Compliant SPNEGO implementation

   Copyright (C) Jim McDonough <j...@us.ibm.com>   2003

   This program is free software; you can redistribute it and/or
modify
   it under the terms of the GNU General Public License as published
by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/

#include "includes.h"

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH

static BOOL read_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token)
{
        ZERO_STRUCTP(token);

        asn1_start_tag(asn1, ASN1_CONTEXT(0));
        asn1_start_tag(asn1, ASN1_SEQUENCE(0));

        while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
                int i;

                switch (asn1->data[asn1->ofs]) {
                /* Read mechTypes */
                case ASN1_CONTEXT(0):
                        asn1_start_tag(asn1, ASN1_CONTEXT(0));
                        asn1_start_tag(asn1, ASN1_SEQUENCE(0));

                        token->mechTypes = SMB_MALLOC_P(char *);
                        for (i = 0; !asn1->has_error &&
                                     0 < asn1_tag_remaining(asn1); i++) {
                                token->mechTypes =
                                        SMB_REALLOC_ARRAY(token->mechTypes, char *, i + 2);
                                asn1_read_OID(asn1, token->mechTypes + i);
                        }
                        token->mechTypes[i] = NULL;

                        asn1_end_tag(asn1);
                        asn1_end_tag(asn1);
                        break;
                /* Read reqFlags */
                case ASN1_CONTEXT(1):
                        asn1_start_tag(asn1, ASN1_CONTEXT(1));
                        asn1_read_Integer(asn1, &token->reqFlags);
                        token->reqFlags |= SPNEGO_REQ_FLAG;
                        asn1_end_tag(asn1);
                        break;
                /* Read mechToken */
                case ASN1_CONTEXT(2):
                        asn1_start_tag(asn1, ASN1_CONTEXT(2));
                        asn1_read_OctetString(asn1, &token->mechToken);
                        asn1_end_tag(asn1);
                        break;
                /* Read mecListMIC */
                case ASN1_CONTEXT(3):
                        asn1_start_tag(asn1, ASN1_CONTEXT(3));
                        if (asn1->data[asn1->ofs] == ASN1_OCTET_STRING) {
                                asn1_read_OctetString(asn1,
                                                      &token->mechListMIC);
                        } else {
                                /* RFC 2478 says we have an Octet String here,
                                   but W2k sends something different... */
                                char *mechListMIC;
                                asn1_push_tag(asn1, ASN1_SEQUENCE(0));
                                asn1_push_tag(asn1, ASN1_CONTEXT(0));
                                asn1_read_GeneralString(asn1, &mechListMIC);
                                asn1_pop_tag(asn1);
                                asn1_pop_tag(asn1);

                                token->mechListMIC =
                                        data_blob(mechListMIC, strlen(mechListMIC));
                                SAFE_FREE(mechListMIC);
                        }
                        asn1_end_tag(asn1);
                        break;
                default:
                        asn1->has_error = True;
                        break;
                }
        }

        asn1_end_tag(asn1);
        asn1_end_tag(asn1);

        return !asn1->has_error;

static BOOL write_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token)
{
        asn1_push_tag(asn1, ASN1_CONTEXT(0));
        asn1_push_tag(asn1, ASN1_SEQUENCE(0));

        /* Write mechTypes */
        if (token->mechTypes && *token->mechTypes) {
                int i;

                asn1_push_tag(asn1, ASN1_CONTEXT(0));
                asn1_push_tag(asn1, ASN1_SEQUENCE(0));
                for (i = 0; token->mechTypes[i]; i++) {
                        asn1_write_OID(asn1, token->mechTypes[i]);
                }
                asn1_pop_tag(asn1);
                asn1_pop_tag(asn1);
        }

        /* write reqFlags */
        if (token->reqFlags & SPNEGO_REQ_FLAG) {
                int flags = token->reqFlags & ~SPNEGO_REQ_FLAG;

                asn1_push_tag(asn1, ASN1_CONTEXT(1));
                asn1_write_Integer(asn1, flags);
                asn1_pop_tag(asn1);
        }

        /* write mechToken */
        if (token->mechToken.data) {
                asn1_push_tag(asn1, ASN1_CONTEXT(2));
                asn1_write_OctetString(asn1, token->mechToken.data,
                                       token->mechToken.length);
                asn1_pop_tag(asn1);
        }

        /* write mechListMIC */
        if (token->mechListMIC.data) {
                asn1_push_tag(asn1, ASN1_CONTEXT(3));
#if 0
                /* This is what RFC 2478 says ... */
                asn1_write_OctetString(asn1, token->mechListMIC.data,
                                       token->mechListMIC.length);
#else
                /* ... but unfortunately this is what Windows
                   sends/expects */
                asn1_push_tag(asn1, ASN1_SEQUENCE(0));
                asn1_push_tag(asn1, ASN1_CONTEXT(0));
                asn1_push_tag(asn1, ASN1_GENERAL_STRING);
                asn1_write(asn1, token->mechListMIC.data,
                           token->mechListMIC.length);
                asn1_pop_tag(asn1);
                asn1_pop_tag(asn1);
                asn1_pop_tag(asn1);
#endif
                asn1_pop_tag(asn1);
        }

        asn1_pop_tag(asn1);
        asn1_pop_tag(asn1);

        return !asn1->has_error;

static BOOL read_negTokenTarg(ASN1_DATA *asn1, negTokenTarg_t *token)
{
        ZERO_STRUCTP(token);

        asn1_start_tag(asn1, ASN1_CONTEXT(1));
        asn1_start_tag(asn1, ASN1_SEQUENCE(0));

        while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
                switch (asn1->data[asn1->ofs]) {
                case ASN1_CONTEXT(0):
                        asn1_start_tag(asn1, ASN1_CONTEXT(0));
                        asn1_start_tag(asn1, ASN1_ENUMERATED);
                        asn1_read_uint8(asn1, &token->negResult);
                        asn1_end_tag(asn1);
                        asn1_end_tag(asn1);
                        break;
                case ASN1_CONTEXT(1):
                        asn1_start_tag(asn1, ASN1_CONTEXT(1));
                        asn1_read_OID(asn1, &token->supportedMech);
                        asn1_end_tag(asn1);
                        break;
                case ASN1_CONTEXT(2):
                        asn1_start_tag(asn1, ASN1_CONTEXT(2));
                        asn1_read_OctetString(asn1, &token->responseToken);
                        asn1_end_tag(asn1);
                        break;
                case ASN1_CONTEXT(3):
                        asn1_start_tag(asn1, ASN1_CONTEXT(3));
                        asn1_read_OctetString(asn1, &token->mechListMIC);
                        asn1_end_tag(asn1);
                        break;
                default:
                        asn1->has_error = True;
                        break;
                }
        }

        asn1_end_tag(asn1);
        asn1_end_tag(asn1);

        return !asn1->has_error;

static BOOL write_negTokenTarg(ASN1_DATA *asn1, negTokenTarg_t *token)
{
        asn1_push_tag(asn1, ASN1_CONTEXT(1));
        asn1_push_tag(asn1, ASN1_SEQUENCE(0));

        asn1_push_tag(asn1, ASN1_CONTEXT(0));
        asn1_write_enumerated(asn1, token->negResult);
        asn1_pop_tag(asn1);

        if (token->supportedMech) {
                asn1_push_tag(asn1, ASN1_CONTEXT(1));
                asn1_write_OID(asn1, token->supportedMech);
                asn1_pop_tag(asn1);
        }

        if (token->responseToken.data) {
                asn1_push_tag(asn1, ASN1_CONTEXT(2));
                asn1_write_OctetString(asn1, token->responseToken.data,
                                       token->responseToken.length);
                asn1_pop_tag(asn1);
        }

        if (token->mechListMIC.data) {
                asn1_push_tag(asn1, ASN1_CONTEXT(3));
                asn1_write_OctetString(asn1, token->mechListMIC.data,
                                      token->mechListMIC.length);
                asn1_pop_tag(asn1);
        }

        asn1_pop_tag(asn1);
        asn1_pop_tag(asn1);

        return !asn1->has_error;

ssize_t read_spnego_data(DATA_BLOB data, SPNEGO_DATA *token)
{
        ASN1_DATA asn1;
        ssize_t ret = -1;

        ZERO_STRUCTP(token);
        ZERO_STRUCT(asn1);
        asn1_load(&asn1, data);

        switch (asn1.data[asn1.ofs]) {
        case ASN1_APPLICATION(0):
                asn1_start_tag(&asn1, ASN1_APPLICATION(0));
                asn1_check_OID(&asn1, OID_SPNEGO);
                if (read_negTokenInit(&asn1, &token->negTokenInit)) {
                        token->type = SPNEGO_NEG_TOKEN_INIT;
                }
                asn1_end_tag(&asn1);
                break;
        case ASN1_CONTEXT(1):
                if (read_negTokenTarg(&asn1, &token->negTokenTarg)) {
                        token->type = SPNEGO_NEG_TOKEN_TARG;
                }
                break;
        default:
                break;
        }

        if (!asn1.has_error) ret = asn1.ofs;
        asn1_free(&asn1);

        return ret;

ssize_t write_spnego_data(DATA_BLOB *blob, SPNEGO_DATA *spnego)
{
        ASN1_DATA asn1;
        ssize_t ret = -1;

        ZERO_STRUCT(asn1);

        switch (spnego->type) {
        case SPNEGO_NEG_TOKEN_INIT:
                asn1_push_tag(&asn1, ASN1_APPLICATION(0));
                asn1_write_OID(&asn1, OID_SPNEGO);
                write_negTokenInit(&asn1, &spnego->negTokenInit);
                asn1_pop_tag(&asn1);
                break;
        case SPNEGO_NEG_TOKEN_TARG:
                write_negTokenTarg(&asn1, &spnego->negTokenTarg);
                break;
        default:
                asn1.has_error = True;
                break;
        }

        if (!asn1.has_error) {
                *blob = data_blob(asn1.data, asn1.length);
                ret = asn1.ofs;
        }
        asn1_free(&asn1);

        return ret;

BOOL free_spnego_data(SPNEGO_DATA *spnego)
{
        BOOL ret = True;

        if (!spnego) goto out;

        switch(spnego->type) {
        case SPNEGO_NEG_TOKEN_INIT:
                if (spnego->negTokenInit.mechTypes) {
                        int i;
                        for (i = 0; spnego->negTokenInit.mechTypes[i]; i++) {
                                free(spnego->negTokenInit.mechTypes[i]);
                        }
                        free(spnego->negTokenInit.mechTypes);
                }
                data_blob_free(&spnego->negTokenInit.mechToken);
                data_blob_free(&spnego->negTokenInit.mechListMIC);
                break;
        case SPNEGO_NEG_TOKEN_TARG:
                if (spnego->negTokenTarg.supportedMech) {
                        free(spnego->negTokenTarg.supportedMech);
                }
                data_blob_free(&spnego->negTokenTarg.responseToken);
                data_blob_free(&spnego->negTokenTarg.mechListMIC);
                break;
        default:
                ret = False;
                break;
        }
        ZERO_STRUCTP(spnego);
out:
        return ret;

On Jun 2, 12:37 am, Bradley Beddoes <bedd...@intient.com> wrote:

...

read more »

Hi,
Ok so your best bet now is to join a windows client to your PDC (you can
also use the other OS's if you feel more comfortable) and do some
testing. On the ESOE side configuration should be similar to that posted
online for full blown Active Directory it would appear.

regards,
Bradley

--
Bradley Beddoes
Lead Software Architect
Intient Pty Ltd

Join me on LinkedIn: http://www.linkedin.com/in/beddoes

Martijn van der Plaat wrote: