Samba + Kerberos backend - AD backend

Andrew Bartlett abartlet at
Tue Dec 16 22:52:05 GMT 2008

On Tue, 2008-12-16 at 02:26 -0800, kronda wrote:
> Hi,
> I'm really sorry if you know that this has been answered many times before
> but I did spend many hours on Google and did not find any suitable answer.
> So thanx in advance for any helpful answer.
> What I have:
> I have a Kerberos server for authentication. I have an OpenLDAP server with
> account information. They're running on the same (Gentoo) Linux machine.
> What I don't (want to) have:
> Active Directory.
> What I want to do:
> Set up Samba (on the same server as Kerberos and LDAP but I guess that
> should not make any difference) to use my Kerberos and OpenLDAP as backends
> for authentication and account information. So basically clients (*n*x and
> Windows) will connect to Samba and enter their username/password which is
> stored in OpenLDAP/Kerberos. This is the main task. No Single Sign On, no
> Kerberos tickets being passed between Samba client and Samba server, no
> client membership in any domain. If possible I would prefere to not send
> plain text passwords over net and if possible I'd like to use Single Sign On
> by passing Kerberos ticket (from Linux clients only) but that's a minor
> issue, not very important.
> What I don't want to do:
> Have a second storage for user's passwords outside of Kerberos, i.e. no
> smbpasswd. Just one central repository storage in Kerberos. The same applies
> for accounts.

BTW, Zivios did a nice job (from reports) integrating Samba3 and Heimdal
to use the same database.  The underlying tools are Heimdal's LDAP
backend, smbk5pwd and Samba's pdb_ldap.  As long as each directly
accesses the password, things should work...

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list