[Samba] Kerberos and Samba

Andrew Bartlett abartlet at samba.org
Mon Apr 12 10:24:45 GMT 2004

On Mon, Apr 12, 2004 at 12:05:24PM +0200, Sensei wrote:
> On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:
> > Samba cannot use the kerberos tickets directly - not unless the KDC is
> > Active Directory (for now).  But it is possible for Samba to use the
> > same password store.  (For NTLM, but not kerberos passwords)
> > 
> > What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP backend?
> MIT K5. The passwords are stored only in the kerberos database.

That is a pity.  

> > While the work is still new, there is support in Heimdal to read Samba
> > password entries in LDAP.  There is also an OpenLDAP plugin to set
> > both Samba and Kerberos passwords on password change.
> > 
> > You would need to manually edit your LDAP database, to expose the
> > passwords in 'Samba' format - potentially a dump and restore of the
> > Heimdal entries might do it, if the sambaSamAccount objectClass was
> > added, and you used a current snapshot.  
> It would be nice to have just kerberos passwords. I've done this with
> ldap (sasl gssapi authentication via k5) and afs (tokens are released on
> ticket releasing).
> The main issue is the integrated windows login: a student must login,
> gain tickets and token, and have his windows home dir set to what ldap
> shows him: this means that afs must be enabled at boot.
> How would you do this? I don't have any clues...

Not possible for an intergrated kerberos solution at this stage - even
MS doesn't do pure KRB5, all the time.

VL's presentation at SambaXP was very interesting, he presented an AFS
gateway scheme that works with NTLM passwords (hint: it fakes tickets

You would still use NTLM, and need an NTLM compatible password store
for Samba.  (DC or access to password hashes)

Andrew Bartlett

More information about the samba mailing list