Samba + Kerberos backend - AD backend

Neil Hoggarth neil.hoggarth at physiol.ox.ac.uk
Tue Dec 16 12:01:59 GMT 2008 

On Tue, 16 Dec 2008, kronda wrote:

> What I have:
> I have a Kerberos server for authentication. I have an OpenLDAP server with
> account information. They're running on the same (Gentoo) Linux machine.
>
> What I don't (want to) have:
> Active Directory.
>
> What I want to do:
> Set up Samba (on the same server as Kerberos and LDAP but I guess that
> should not make any difference) to use my Kerberos and OpenLDAP as backends
> for authentication and account information.

I am just in the process of exploring the same sort of thing, so the 
instructions that follow are very prelimiary, based on my own testing, 
using Samba 3.2.6 built from source:

Suppose that your KDC is kdc.example.org and your Samba server will be 
running at samba.example.org.

Create "host" and "cifs" Kerberos principals for your Samba server:

   host/samba.example.org at YOUR.REALM
   cifs/samba.example.org at YOUR.REALM

Extract the keys so created to an /etc/krb5.keytab file on the Samba 
server using kadmin.

Teach your Windows workstations about the Kerberos realm and how to 
reach the KDC. This is normally done using a utility called ksetup.exe 
(which you can find amongst the support tools on a Windows Server CD in 
the \support\tools directory):

   ksetup /addkdc YOUR.REALM kdc.example.org

Reputedly this just sets a registry entry, so you can probably just hack 
it with regedit:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
     Control\Lsa\Kerberos\Domains\YOUR.REALM

create a multi-string (REG_MULTI_SZ) value called "KdcNames" which 
contains the name of your KDC (or a list of KDCs if you have more than 
one).

Reboot the Windows client.

Set up your smb.conf file for a Samba server in User security mode, with
the following settings:

   [global]
     use kerberos keytab = yes
     realm = YOUR.REALM

>From the Windows workstation, it should now be possible for you to map a 
network share such as "\\samba.example.org\homes" using the username 
"YOUR.REALM\username".

The authentication all works via Kerberos (the workstation fetches a TGT 
and a CIFS service ticket from the KDC on behalf of the user, then uses 
it to authenticate the SMB connection to the Samba server rather than 
passing usernames and passwords over the wire).

Regards,
-- 
Neil Hoggarth -------------- Department of Physiology, Anatomy and Genetics
Head of IT --------------------------------------- University of Oxford, UK

More information about the samba-technical mailing list