[Samba] Authentification against kerberos / sssd

tseegerkrb tseegerkrb at gmail.com
Tue Dec 11 19:41:46 UTC 2018 

On 11.12.18 18:19, walk2sun via samba wrote:
> Am 11.12.18 um 15:36 schrieb tseegerkrb via samba:
>> On 11.12.18 15:23, Rowland Penny via samba wrote:
>>> On Tue, 11 Dec 2018 15:09:39 +0100
>>> tseegerkrb via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hello list,
>>>>
>>>> a quick question. Right now I have a combination of MIT Kerberos,
>>>> OpenLDAP and SSSD for authenticating my users. Is there a way that
>>>> Samba can use this setup to perform user authentication. I only want
>>>> to access the shares of the Samba server from about 8 Windows
>>>> computers. I am aware that I cannot make an Active Directory out of
>>>> this.
> 
> The samba 3 Code supports openldap as store for users, machines, groups
> and other things you need.
> 
> 
i think that's not possible, because i use sasl and the userPassword
attribute contains something like "{SASL}username at KERBEROS.REALM".
>>>>
>>>> At the moment I have stored the users in a local passdb, which works
>>>> but is very unpleasant.
> 
> This is really bad. I asume that you mean your userdb for samba are
> local tdb files.
yes
> 
> Switch to ldapsam.
> 
>>>>
>>> That is why Microsoft came up with domains ;-)
>>>
>>> If you look at Active Directory, it is basically composed of kerberos,
>>> ldap and dns., so you can replace your kerberos and ldap servers with a
>>> Samba AD DC, this also come with winbind which will replace sssd.
>>>
>>> There is just one possible fly in the ointment, you mention MIT & sssd,
>>> is this using a red-hat OS ?
>>> If it is, you cannot use the OS packages to create an AD DC, or if you
>>> can (Fedora), it shouldn't be used in production.
>>>
>>> Rowland
>>>
>>>
>> Hello Rowland,
>>
>> thanks for your answer but I don't want to replace my kerberos & ldap
>> setup with an AD server. Basically I only want to control access to the
>> handful of Samba shares.
> 
> Your users should auth against openldap with exop control enabled.
> Openldap should handover the auth to kerberos. And then install
> slapo-smbk5pwd on your openldap server. This overlay will sync the samba
> passwords.
slapo-smbk5pwd is for heimdal kerberos server only. i use the MIT
kerberos server. There was a fork for MIT kerberos but i believe the
project is dead.
> 
> 
> Hint: I have never used sssd and i am sure i will never do. For this
> classic samba setup i prefer nslcd as pam and nss provider. Winbind will
> also do.
everything expect samba is working very nice with sssd.
> 
> If you are interesting i such a setup i am willing to help.
> 
>>
>> Thorsten
>>
> -- 
> 
> Harry
> 
Is it possible to create trust between a samba4 AD and a MIT kerberos
realm?

Thorsten

More information about the samba mailing list