Samba + Kerberos backend - AD backend
paul
paul at subsignal.org
Tue Dec 16 14:15:39 GMT 2008
kronda schrieb:
> Hi,
> I'm really sorry if you know that this has been answered many times before
> but I did spend many hours on Google and did not find any suitable answer.
> So thanx in advance for any helpful answer.
>
> What I have:
> I have a Kerberos server for authentication. I have an OpenLDAP server with
> account information. They're running on the same (Gentoo) Linux machine.
>
> What I don't (want to) have:
> Active Directory.
>
> What I want to do:
> Set up Samba (on the same server as Kerberos and LDAP but I guess that
> should not make any difference) to use my Kerberos and OpenLDAP as backends
> for authentication and account information.
OK.
> So basically clients (*n*x and
> Windows) will connect to Samba and enter their username/password which is
> stored in OpenLDAP/Kerberos.
samba -> openldap -> (via userPassword: {KRB5}user at REALM) -> kdc
This is the main task. No Single Sign On, no
> Kerberos tickets being passed between Samba client and Samba server, no
> client membership in any domain. If possible I would prefere to not send
> plain text passwords over net
Probably not possible. You don't have (cleartext) passwords in LDAP so
none of the challenge-response SASL mechanisms will work.
> and if possible I'd like to use Single Sign On
> by passing Kerberos ticket (from Linux clients only) but that's a minor
> issue, not very important.
Use pam_krb5 for /etc/pam.d/login
>
> What I don't want to do:
> Have a second storage for user's passwords outside of Kerberos, i.e. no
> smbpasswd. Just one central repository storage in Kerberos. The same applies
> for accounts.
password backend = ldapsam
hth
Paul
BTW: this is quite off topic for samba.internals
More information about the samba-technical
mailing list