Samba 3 connect to openldap and mit kerberos

Michael Brown mbrown at
Fri Mar 25 10:59:15 GMT 2005

On Thu, 24 Mar 2005, Jeff Block wrote:
> Forgive me if this topic has already been posted, but I couldn't find it.
> I would like to bind a samba 3 server to an ldap/kerberos server.  I have
> built in ldap and kerberos support so that I can use the security=ads
> feature.  I don't have an actual AD infrastructure and I'm curious if I can
> use the ldap/kerb features of samba without AD.  I have user info in ldap
> and passwords in kerberos.
> Can I have samba use these DB's on the backend?

Yes.  With MIT Kerberos, you need to put the following settings in

   security = ads
   encrypt passwords = yes
   use kerberos keytab = yes

and to add the appropriate service principals in /etc/krb5.keytab.  Which
service principals are appropriate is something of a black art, because
Windows clients think that principal names are case-insensitive.  You will
probably need to add

   host/ at REALM
   cifs/ at REALM

plus some case variations such as

   host/ at REALM

You can easily see which service principal a Windows client is requesting
by using Ethereal to capture the traffic between the Windows client and 
the KDC.

You'll need at least Samba 3.0.11 to avoid a segfault when the client 
connects.  Current SVN has a patch that makes Samba accept any case 
combination in the Kerberos principal name; previously it would accept 
only a few variations.

Hope that helps.


More information about the samba-technical mailing list