Samba + Kerberos backend - AD backend

kronda kronda at
Tue Dec 16 10:26:14 GMT 2008

I'm really sorry if you know that this has been answered many times before
but I did spend many hours on Google and did not find any suitable answer.
So thanx in advance for any helpful answer.

What I have:
I have a Kerberos server for authentication. I have an OpenLDAP server with
account information. They're running on the same (Gentoo) Linux machine.

What I don't (want to) have:
Active Directory.

What I want to do:
Set up Samba (on the same server as Kerberos and LDAP but I guess that
should not make any difference) to use my Kerberos and OpenLDAP as backends
for authentication and account information. So basically clients (*n*x and
Windows) will connect to Samba and enter their username/password which is
stored in OpenLDAP/Kerberos. This is the main task. No Single Sign On, no
Kerberos tickets being passed between Samba client and Samba server, no
client membership in any domain. If possible I would prefere to not send
plain text passwords over net and if possible I'd like to use Single Sign On
by passing Kerberos ticket (from Linux clients only) but that's a minor
issue, not very important.

What I don't want to do:
Have a second storage for user's passwords outside of Kerberos, i.e. no
smbpasswd. Just one central repository storage in Kerberos. The same applies
for accounts.

What I would like to know:
Is it possible? And if so, how? I've read many howtos,posts,"definitite
guids" etc. but never found the answer. It is always either using smbpasswd
store or it uses Active Directory and Samba server is somehow joined into an
AD domain. I've seen several times that "Samba authentication cannot be
delegated to any other authentication server (because of "encrypted
passwords, you know...") but delegating authentication to AD simply IS
delegating authentication to another server, moreover using (something
like?) Kerberos. SO probably by tuning pam_winbind or pam_krb5 correctly
this can be done. No? What do you think? That I'm not very bright? Ok, I see
that now, so d'you maybe have an advice for such a loser...?

Thanks to all.
View this message in context:
Sent from the Samba - samba-technical mailing list archive at

More information about the samba-technical mailing list