Samba 3 connect to openldap and mit kerberos
Michael Brown
mbrown at fensystems.co.uk
Fri Mar 25 10:59:15 GMT 2005
On Thu, 24 Mar 2005, Jeff Block wrote:
> Forgive me if this topic has already been posted, but I couldn't find it.
>
> I would like to bind a samba 3 server to an ldap/kerberos server. I have
> built in ldap and kerberos support so that I can use the security=ads
> feature. I don't have an actual AD infrastructure and I'm curious if I can
> use the ldap/kerb features of samba without AD. I have user info in ldap
> and passwords in kerberos.
>
> Can I have samba use these DB's on the backend?
Yes. With MIT Kerberos, you need to put the following settings in
smb.conf:
realm = KERBEROS.REALM.NAME
security = ads
encrypt passwords = yes
use kerberos keytab = yes
and to add the appropriate service principals in /etc/krb5.keytab. Which
service principals are appropriate is something of a black art, because
Windows clients think that principal names are case-insensitive. You will
probably need to add
server$@REALM
host/server.example.com at REALM
cifs/server.example.com at REALM
plus some case variations such as
HOST/server.example.com at REALM
host/SERVER.example.com at REALM
You can easily see which service principal a Windows client is requesting
by using Ethereal to capture the traffic between the Windows client and
the KDC.
You'll need at least Samba 3.0.11 to avoid a segfault when the client
connects. Current SVN has a patch that makes Samba accept any case
combination in the Kerberos principal name; previously it would accept
only a few variations.
Hope that helps.
Michael
More information about the samba-technical
mailing list