Samba with LDAP or Kerberos Backend

Rakesh Patel rapatel at optonline.net
Wed Jun 2 01:21:04 GMT 2004


Dhruv, are you using pam_krb5 for LDAP to authenticate using Kerberos for
interactive LDAP binds where the user sends a DN and password to bind to 
LDAP?

If your goal is to ensure a single user/password authentication and you 
are already
using Kerberos, then you may wish to consider simply using Kerberos for 
LDAP (I assume
OpenLDAP?) authenticaiton and for Samba authentication.  [If the LDAP 
client will
only use SASL/TLS or SSL, then the password would need to be sent to the 
LDAP server
and the server will have to use Kerberos authentication via PAM or other 
mechanism].

I would avoid using LDAP authentication if you are already using 
Kerberos. It is much
safer to attempt to use kerberos keys accross the board if you can, but 
all the clients you use must support Kerberos (preferably through GSSAPI).

Hope I haven't confused you any further.

Rakesh Patel.


Dhruv Soi wrote:

>Hi All,
>I have configured LDAP with pam module to authenticate user accounts, where
>LDAP is using kerberos database in the backend. Could anyone suggest me how
>it is possible with samba. My only requirement is that
>  
>
>1. Samba Passwords should be same as user passwords. And user can change
>that by sitting on windows terminal and Samba should not work as PDC.
>
>  a.. Either i can do if theres any option that ldap's lmPassword and
>ntPassword should match value in userPassword schema.
>  b.. Samba could fetch same userdatabase that ldap is fetching i.e. from
>kerberos either using ldap or by its own.
>Any help would be highly appreciated.
>
>I have configured samba with ldap backend but when a user change password he
>could not do it for samba and local account in one shot. Either i have to
>write script ro whatever but i think any of the above solutions should also
>work.
>
>PS: I am fed up by making all sort of Research. Please Help!!!
>
>Thanks
>Dhruv
>System Admin
>Momentum Technologies
>  
>



More information about the samba-technical mailing list