Samba with LDAP or Kerberos Backend

Dhruv Soi dhruvs at
Wed Jun 2 05:21:13 GMT 2004

Thanks Rakesh for your mail...I am trying on Linux
actually i have tried it in two sequence and second one worked for me...My
goal was to centralize user database with an ability for Windows users to
change their Passwords but samba security mode is to be = share no server,
no ADS....

1. To centralize local user accounts with LDAP+KERBEROS
a). I installed LDAP and kerberos.
b). Created Kerberos database for user principals and shared keys for
c). used authconfig to have ldap as authentication mechanism
d). After adding kerberos schema to ldap, under userPassword: attribute i
wrote {KERBEROS}username at REALM
e). when i try authenticating local users LDAP was communicating with
Kerberos to verify passwords.

To centralize Samba User account.
f). when i tried same for Samba attributes by writing lmPassword and
ntPassword for {KERBEROS}username at REALM it didn't work.
g). if i want to use ldap for samba authentication that i can do, but can't
use kerberos user principals as backend for ldap

2. Centralize passwords only with kerberos for samba
a). Till c). above setup was similar
b). I changed /etc/pam.d/samba for pam_krb5 and then made encrypt password =
no in smb.conf and samba was able to fetch passwords from kerberos database.
Now if i can't change encrypt password = yes as its overrulling pam
settings, so not fetching passwords from keberos
c). Now problem is passwords are travelling in plain text so i have to make
enableplaintextPassword = 1 in windows registry on all the clients machine

So by either way if you can help me, would do for me!


-----Original Message-----
From: Rakesh Patel [mailto:rapatel at]
Sent: Wednesday, June 02, 2004 6:51 AM
To: dhruvs at
Cc: samba-technical at
Subject: Re: Samba with LDAP or Kerberos Backend

Dhruv, are you using pam_krb5 for LDAP to authenticate using Kerberos for
interactive LDAP binds where the user sends a DN and password to bind to

If your goal is to ensure a single user/password authentication and you
are already
using Kerberos, then you may wish to consider simply using Kerberos for
LDAP (I assume
OpenLDAP?) authenticaiton and for Samba authentication.  [If the LDAP
client will
only use SASL/TLS or SSL, then the password would need to be sent to the
LDAP server
and the server will have to use Kerberos authentication via PAM or other

I would avoid using LDAP authentication if you are already using
Kerberos. It is much
safer to attempt to use kerberos keys accross the board if you can, but
all the clients you use must support Kerberos (preferably through GSSAPI).

Hope I haven't confused you any further.

Rakesh Patel.

Dhruv Soi wrote:

>Hi All,
>I have configured LDAP with pam module to authenticate user accounts, where
>LDAP is using kerberos database in the backend. Could anyone suggest me how
>it is possible with samba. My only requirement is that
>1. Samba Passwords should be same as user passwords. And user can change
>that by sitting on windows terminal and Samba should not work as PDC.
>  a.. Either i can do if theres any option that ldap's lmPassword and
>ntPassword should match value in userPassword schema.
>  b.. Samba could fetch same userdatabase that ldap is fetching i.e. from
>kerberos either using ldap or by its own.
>Any help would be highly appreciated.
>I have configured samba with ldap backend but when a user change password
>could not do it for samba and local account in one shot. Either i have to
>write script ro whatever but i think any of the above solutions should also
>PS: I am fed up by making all sort of Research. Please Help!!!
>System Admin
>Momentum Technologies

More information about the samba-technical mailing list