[Samba] Kerberos and Samba

Sensei senseiwa at tin.it
Mon Apr 12 10:05:24 GMT 2004

On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:

> Samba cannot use the kerberos tickets directly - not unless the KDC is
> Active Directory (for now).  But it is possible for Samba to use the
> same password store.  (For NTLM, but not kerberos passwords)
> What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP backend?

MIT K5. The passwords are stored only in the kerberos database.

> While the work is still new, there is support in Heimdal to read Samba
> password entries in LDAP.  There is also an OpenLDAP plugin to set
> both Samba and Kerberos passwords on password change.
> You would need to manually edit your LDAP database, to expose the
> passwords in 'Samba' format - potentially a dump and restore of the
> Heimdal entries might do it, if the sambaSamAccount objectClass was
> added, and you used a current snapshot.  

It would be nice to have just kerberos passwords. I've done this with
ldap (sasl gssapi authentication via k5) and afs (tokens are released on
ticket releasing).

The main issue is the integrated windows login: a student must login,
gain tickets and token, and have his windows home dir set to what ldap
shows him: this means that afs must be enabled at boot.

How would you do this? I don't have any clues...

Sensei    <mailto:senseiwa at tin.it>
          <msn-id:Sensei_Sen at hotmail.com>
Error: Keyboard not found. Press F1 to continue...

More information about the samba mailing list