Samba + Kerberos backend - AD backend

paul paul at
Tue Dec 16 14:15:39 GMT 2008

kronda schrieb:
> Hi,
> I'm really sorry if you know that this has been answered many times before
> but I did spend many hours on Google and did not find any suitable answer.
> So thanx in advance for any helpful answer.
> What I have:
> I have a Kerberos server for authentication. I have an OpenLDAP server with
> account information. They're running on the same (Gentoo) Linux machine.
> What I don't (want to) have:
> Active Directory.
> What I want to do:
> Set up Samba (on the same server as Kerberos and LDAP but I guess that
> should not make any difference) to use my Kerberos and OpenLDAP as backends
> for authentication and account information. 

> So basically clients (*n*x and
> Windows) will connect to Samba and enter their username/password which is
> stored in OpenLDAP/Kerberos. 
samba -> openldap -> (via userPassword: {KRB5}user at REALM) -> kdc

This is the main task. No Single Sign On, no
> Kerberos tickets being passed between Samba client and Samba server, no
> client membership in any domain. If possible I would prefere to not send
> plain text passwords over net
Probably not possible. You don't have (cleartext) passwords in LDAP so 
none of the  challenge-response SASL mechanisms will work.

> and if possible I'd like to use Single Sign On
> by passing Kerberos ticket (from Linux clients only) but that's a minor
> issue, not very important.
Use pam_krb5 for /etc/pam.d/login

> What I don't want to do:
> Have a second storage for user's passwords outside of Kerberos, i.e. no
> smbpasswd. Just one central repository storage in Kerberos. The same applies
> for accounts.
password backend = ldapsam


BTW: this is quite off topic for samba.internals

More information about the samba-technical mailing list