How to connect Kerberos + LDAP + DHCP + Samba?

A

antoine432014-07-21 14:08:05

LDAP

antoine43, 2014-07-21 14:08:05

Good day!
We have 2 servers on Debian\Ubuntu:
1. VLAN-generator, DHCP, router, Samba
2. LDAP, web server.
Clients are divided into subnets by binding MAC-adr to IP in the DHCP server settings.
It is necessary to organize the authorization of clients (Windows) via the Kerberos protocol on the LDAP server, and then give them the appropriate IP based on the credentials in the LDAP database and provide access to Samba.
Before authorization or in case of a login error, you need to place clients on the guest subnet 192.168.127.0/24, and even so that it is not possible to set the IP settings with the handles and connect to a closed subnet.
Who thinks on this issue? I would appreciate any help!

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

C

Cool Admin, 2014-07-21
@ifaustrue

Colleague, how do you plan to do Kerberos authorization before issuing an IP address? Or do you plan to reissue the address later (and if the client does not agree to this, in the sense that the dhcp client needs to be "ask" to reobtain the address that was given to it earlier)?
If you need a secure network, then maybe 802.1X + Radius will help you, or authorization of DHCP itself (I'm not sure what current versions can do this, except for the native one from MS).

A

antoine43, 2014-07-23
@antoine43

I didn't think about "ask" to re-obtain the address. Authorization is not needed before issuing IP, DHCP itself must issue a "guest" IP, and after authorization, transfer it to the desired subnet.
Is it possible, when logging into Windows using an account and password, to transfer this data via Kerberos to the authorization server?
And what does Kerberos authorization look like on Windows machines in a typical case?