[Samba] Kerberos and Samba

Andrew Bartlett abartlet at samba.org
Mon Apr 12 10:24:45 GMT 2004


On Mon, Apr 12, 2004 at 12:05:24PM +0200, Sensei wrote:
> On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:
> 
> > Samba cannot use the kerberos tickets directly - not unless the KDC is
> > Active Directory (for now).  But it is possible for Samba to use the
> > same password store.  (For NTLM, but not kerberos passwords)
> > 
> > What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP backend?
> 
> MIT K5. The passwords are stored only in the kerberos database.

That is a pity.  

> > While the work is still new, there is support in Heimdal to read Samba
> > password entries in LDAP.  There is also an OpenLDAP plugin to set
> > both Samba and Kerberos passwords on password change.
> > 
> > You would need to manually edit your LDAP database, to expose the
> > passwords in 'Samba' format - potentially a dump and restore of the
> > Heimdal entries might do it, if the sambaSamAccount objectClass was
> > added, and you used a current snapshot.  
> 
> It would be nice to have just kerberos passwords. I've done this with
> ldap (sasl gssapi authentication via k5) and afs (tokens are released on
> ticket releasing).
> 
> The main issue is the integrated windows login: a student must login,
> gain tickets and token, and have his windows home dir set to what ldap
> shows him: this means that afs must be enabled at boot.
> 
> How would you do this? I don't have any clues...

Not possible for an intergrated kerberos solution at this stage - even
MS doesn't do pure KRB5, all the time.

VL's presentation at SambaXP was very interesting, he presented an AFS
gateway scheme that works with NTLM passwords (hint: it fakes tickets
;-)

You would still use NTLM, and need an NTLM compatible password store
for Samba.  (DC or access to password hashes)

Andrew Bartlett


More information about the samba mailing list