[Samba] Kerberos and Samba

Andrew Bartlett abartlet at samba.org
Sat Apr 10 14:07:06 GMT 2004

On Sat, Apr 10, 2004 at 12:09:49PM +0200, Sensei wrote:
> Hi. 
> I've built an afs cell, a kerberos kdc, an openldap server, all 
> kerberized. Now all linux clients can login on the cell using k5 
> authentication, finding informations about their home dirs with ldap. 
> Their home reside on the afs cell, which allows r/w access since it 
> releases a token from the k5 ticket. All macosx clients can login as 
> well... but what about windows? ^___^;;; 
> I've been sent here from a kerberos group, telling me samba could be
> useful. 
> I'd like to avoid creating windows users on every windows client... and
> I know I can set up an AD server, creating users on kerberos/afs/ldap
> AND the same users on AD... quite long... 
> Is samba of any use? Can I grant tickets and tokens via samba, mapping
> windows home directories on the afs home dir? This information can be
> retrieved from openldap... 

Samba cannot use the kerberos tickets directly - not unless the KDC is
Active Directory (for now).  But it is possible for Samba to use the
same password store.  (For NTLM, but not kerberos passwords)

What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP backend?

If you are running Heimdal, what version?  Could you run a current snapshot?

While the work is still new, there is support in Heimdal to read Samba
password entries in LDAP.  There is also an OpenLDAP plugin to set
both Samba and Kerberos passwords on password change.

You would need to manually edit your LDAP database, to expose the
passwords in 'Samba' format - potentially a dump and restore of the
Heimdal entries might do it, if the sambaSamAccount objectClass was
added, and you used a current snapshot.  

(The type 23 arcfour-hmac-md5 enctype is the Samba NT password)

Andrew Bartlett

More information about the samba mailing list