[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
José Ildefonso Camargo Tolosa
icamargo at merkurio.com.ve
Wed Apr 14 18:37:25 GMT 2004
Gémes Géza wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If you have no *NIX clients, then you couldn't yet get any serious
> benefit from using Kerberos for Windows clients.
> So in this case I would suggest to build OpenSSL, OpenLDAP, and then
> Samba. Configure a certificate authority, if you don't want to use a
> commercially available one. Create certificates for your OpenLDAP
> server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS
> or SSL connections. Configure Samba, to connect using TLS or SSL to your
> LDAP server. In this way you can achieve the maximum security from the
> ldap+samba setup.
Cool. I'll try that one to make it start, and have something to begin
working with.
I have *nix clients. See, what I mean to do is the following (not sure
if it can work):
+ Install a kerberos client on the windows workstations (somebody told
me that the win2k and up already have one (probably a non standard one))
and, off course, on the *nix workstations.
+ Make people autenticate to a KDC.
+ Using the kerberos ticket, the user should be able to access his/her
folders on the samba server, without having to log into the samba again.
+ The user should be able to login into her/his mail (a pop/imap server)
without having to put his/her password again (this one I already know it
works).
+ Be able to use ldap to "centralize" the users (maybe the ldap as
backend to kerberos).
+ Off course the profiles of mozilla and others would go into the
server, thus creating "roaming" profiles (this is a cosmetic one, first
I need the thing working).
I'm not sure on how to make this, I have several options, but not sure
if it can be done (never seen something like this on the docs):
1. Make samba a kerberos service, so that samba autenticate to the users
using the kerberos mechanism:
This implies this order:
samba -> kerberos 5 -> ldap (can this actually be done?). (this reads:
samba asks kerberos, and kerberos asks ldap).
workstation -> kerberos 5 -> ldap (this is what would happend on the
client side).
In this one, I'm not sure how the log-in would work, I think that the
workstations will not use a "domain", and hence would not use the
autentication methos provided by samba.
2. The option I have seen in many docs:
samba -> ldap -> sasl -> kerberos (not sure how this one works, I guess
it is somthing like the ldap is a kerberos service, and users
autenticate to samba using the directory, but they doesn't use the
kerberos for autentication, this would mean that the SSO (single sign
on) would no work?).
Any docs, any help is welcome,
Thanks for the fast answer, and once again, thanks in advance for any
help on this,
Sincerely,
Ildefonso Camargo
icamargo at merkurio.com.ve
ildefonso_camargo at yahoo.com
More information about the samba
mailing list