[Samba] Kerberos and Samba

Tarjei Huse tarjei at nu.no
Mon Apr 12 09:45:40 GMT 2004


On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:
> On Sat, Apr 10, 2004 at 12:09:49PM +0200, Sensei wrote:
> > Hi. 
> > 
> > I've built an afs cell, a kerberos kdc, an openldap server, all 
> > kerberized. Now all linux clients can login on the cell using k5 
> > authentication, finding informations about their home dirs with ldap. 
> > Their home reside on the afs cell, which allows r/w access since it 
> > releases a token from the k5 ticket. All macosx clients can login as 
> > well... but what about windows? ^___^;;; 
> > 
> > I've been sent here from a kerberos group, telling me samba could be
> > useful. 
> > 
> > I'd like to avoid creating windows users on every windows client... and
> > I know I can set up an AD server, creating users on kerberos/afs/ldap
> > AND the same users on AD... quite long... 
> > 
> > Is samba of any use? Can I grant tickets and tokens via samba, mapping
> > windows home directories on the afs home dir? This information can be
> > retrieved from openldap... 
> 
> Samba cannot use the kerberos tickets directly - not unless the KDC is
> Active Directory (for now).  But it is possible for Samba to use the
> same password store.  (For NTLM, but not kerberos passwords)
> 
> What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP backend?
> 
> If you are running Heimdal, what version?  Could you run a current snapshot?
> 
> While the work is still new, there is support in Heimdal to read Samba
> password entries in LDAP.  There is also an OpenLDAP plugin to set
> both Samba and Kerberos passwords on password change.
> 
> You would need to manually edit your LDAP database, to expose the
> passwords in 'Samba' format - potentially a dump and restore of the
> Heimdal entries might do it, if the sambaSamAccount objectClass was
> added, and you used a current snapshot.  
So doing it this way means that you do not need to modify samba in any
way?

Cool!

Tarjei

> 
> (The type 23 arcfour-hmac-md5 enctype is the Samba NT password)
> 
> Andrew Bartlett



More information about the samba mailing list