Kerberos v5 release 1.1, OpenLDAP 1.2.8, and samba 2.1.0 as an NT Domain Controller

Luke Howard lukeh at
Tue Dec 14 00:05:36 GMT 1999


>1.  Could the KDC store it's database in the LDAP directory?

Yes. Indeed, this was the reason we implemented the domain socket
transport for OpenLDAP. There's still a lot of work to be done
to implement this, though.

>2.  Could the LDAP directory require Kerberos v5 authentication before
>allowing a user/service access to the directory?

In principle (pun not intended!), yes. However, OpenLDAP still requires
support for the GSS-API SASL mechanism in order to do this in the
"correct" manner. Netscape's Directory Server supports this mechanism
with an appropriate plugin, and OpenLDAP will eventually support SASL
authentication using the Cyrus SASL library.

>3.  Would a user first need a TGT, then request authentication from the
>samba server, which in turn would check the LDAP directory for a match?

W2K clients use a complicated mix of Kerberos, LDAP, and RPCs for
authentication and authorization. Check out:

for some interesting reading. That said, I believe SAMBA supports LDAP
now as a backend to its pre-W2K domain controller service.

>2. Configure Kerberos server --with-LDAP so that the Kerberos database is
>stored in the LDAP directoy, and kerb password changes, etc. are made to the
>LDAP directory (if that's what the --with-ldap option actually does for
>kerb1.1--if not, what does it do?)

I wasn't aware of this -- I'm curious to know more.


-- Luke


luke howard                                                  lukeh at PADL.COM 
PADL software pty ltd                                   http://www.PADL.COM

More information about the samba-ntdom mailing list