[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?

Gémes Géza geza at kzsdabas.sulinet.hu
Wed Apr 14 18:13:54 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

José Ildefonso Camargo Tolosa írta:
| Hi!
|
| I have been reading for about two weeks (maybe I'm reading on the wrong
| places).  I have found as many documents as one could expect describind
| how to build a LDAPv3 server, or how to build samba with ldap.  This
| far, I have failed, and have a BIG confution in the order in wich the
| things should go:
|
| In one document, they recommend this:
|
| samba -> ldap -> sasl -> kerberos (so, the passwords gets stored in the
| kerberos database, at least that's what they says, but..... does the
| samba schema do this in fact? does the samba passwords will be kept in
| the kerberos database?, or it just store the passwords in the ldap's
| database).
|
| In other (simplier):
|
| samba -> ldap
| and:
| kerberos -> ldap (thus, storing the kerberos passwords in the ldap
| (duh...)).
|
| All that I'm trying to do is to get a PDC with a directory service, but
| I need it to be secure (that's why I'm bothering with kerberos).
| Anyway, I would like to know: in wich order should I build the thing?:
|
| Build orders:
|
| 1. kerberos, next sasl, next ldap, next samba (configured for samba ->
| ldap -> sasl -> kerberos).
| 2. ldap, next samba (just samba -> ldap,  without kerberos password
| storing).
|
| Also, If I use the option 1, should the windows clients use a kerberos
| client?, or they just login as usual.  Has anybody tested something like
| this?
|
| My system:
|
| Hardware:
| + Athlon XP 1500+, 512Mb RAM (133).
|
| Software:
| + Slackware 9.1 (with kernel 2.6.5), and most recent upgrades of all
| packages.
| + OpenLDAP 2.2.8
| + kerberos: MIT kerberos 1.3.2 (read somewhere that it has thread
| issues, I'm thinking to move to heimdal, any sujestions?), heimdal 0.6.1.
| + samba 3.0.2a
| + cyrus sasl 2.1.18
| + berkley db 4.2.52
| + open ssl 0.9.7d.
|
| Thanks in advance for your help,
|
| Sincerely,
|
| Ildefonso Camargo
| icamargo at merkurio.com.ve
|
If you have no *NIX clients, then you couldn't yet get any serious
benefit from using Kerberos for Windows clients.
So in this case I would suggest to build OpenSSL, OpenLDAP, and then
Samba. Configure a certificate authority, if you don't want to use a
commercially available one. Create certificates for your OpenLDAP
server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS
or SSL connections. Configure Samba, to connect using TLS or SSL to your
LDAP server. In this way you can achieve the maximum security from the
ldap+samba setup.

Cheers

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAfX9h/PxuIn+i1pIRApxzAJ9jOQgVFSwrjYtDxMsRpYYxqpljFACfe1y2
9h71XzzfzI9GHBvlEG535x4=
=BNeG
-----END PGP SIGNATURE-----



More information about the samba mailing list