Kerberos v5 release 1.1, OpenLDAP 1.2.8, and samba 2.1.0 as an NT Domain Controller

Jeremy Jones JJones at
Mon Dec 13 23:01:05 GMT 1999

Hi all,

Many questions...  Hoping someone [patient] could explain the chain of
events to me, or tell me why such a chain of events could not possibly

I think I may be confusing myself...

How would a Kerberos KDC, an LDAP directory, and a Samba server interact
with one another?

1.  Could the KDC store it's database in the LDAP directory?
2.  Could the LDAP directory require Kerberos v5 authentication before
allowing a user/service access to the directory?
3.  Would a user first need a TGT, then request authentication from the
samba server, which in turn would check the LDAP directory for a match?

Here's what I'd like to do...

1. Conifgure OpenLDAP --with-krb5 so that a KDC authenticates connections to
the LDAP directory.
2. Configure Kerberos server --with-LDAP so that the Kerberos database is
stored in the LDAP directoy, and kerb password changes, etc. are made to the
LDAP directory (if that's what the --with-ldap option actually does for
kerb1.1--if not, what does it do?)
3. Configure samba as an NT domain controller --with-ldap and --with-krb5 so
that NT clients are authenticated by the KDC and have their tickets, etc.
stored in the LDAP directory.

Is this a sensible thing to want to do?

Jeremy Jones, MA, MCSE, CCNA
Systems Analyst
Northwest Network Services
(208) 343-5260 x106
mailto:jjones at

More information about the samba-ntdom mailing list