Samba 3 connect to openldap and mit kerberos

Michael Brown mbrown at fensystems.co.uk
Fri Mar 25 10:59:15 GMT 2005


On Thu, 24 Mar 2005, Jeff Block wrote:
> Forgive me if this topic has already been posted, but I couldn't find it.
> 
> I would like to bind a samba 3 server to an ldap/kerberos server.  I have
> built in ldap and kerberos support so that I can use the security=ads
> feature.  I don't have an actual AD infrastructure and I'm curious if I can
> use the ldap/kerb features of samba without AD.  I have user info in ldap
> and passwords in kerberos.
> 
> Can I have samba use these DB's on the backend?

Yes.  With MIT Kerberos, you need to put the following settings in
smb.conf:

   realm = KERBEROS.REALM.NAME
   security = ads
   encrypt passwords = yes
   use kerberos keytab = yes

and to add the appropriate service principals in /etc/krb5.keytab.  Which
service principals are appropriate is something of a black art, because
Windows clients think that principal names are case-insensitive.  You will
probably need to add

   server$@REALM
   host/server.example.com at REALM
   cifs/server.example.com at REALM

plus some case variations such as

   HOST/server.example.com at REALM
   host/SERVER.example.com at REALM

You can easily see which service principal a Windows client is requesting
by using Ethereal to capture the traffic between the Windows client and 
the KDC.

You'll need at least Samba 3.0.11 to avoid a segfault when the client 
connects.  Current SVN has a patch that makes Samba accept any case 
combination in the Kerberos principal name; previously it would accept 
only a few variations.

Hope that helps.

Michael


More information about the samba-technical mailing list