[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?

Wed Apr 14 18:37:25 GMT 2004

Gémes Géza wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If you have no *NIX clients, then you couldn't yet get any serious
> benefit from using Kerberos for Windows clients.
> So in this case I would suggest to build OpenSSL, OpenLDAP, and then
> Samba. Configure a certificate authority, if you don't want to use a
> commercially available one. Create certificates for your OpenLDAP
> server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS
> or SSL connections. Configure Samba, to connect using TLS or SSL to your
> LDAP server. In this way you can achieve the maximum security from the
> ldap+samba setup.

Cool. I'll try that one to make it start, and have something to begin 
working with.

I have *nix clients.  See, what I mean to do is the following (not sure 
if it can work):

+ Install a kerberos client on the windows workstations (somebody told 
me that the win2k and up already have one (probably a non standard one)) 
and, off course, on the *nix workstations.
+ Make people autenticate to a KDC.
+ Using the kerberos ticket, the user should be able to access his/her 
folders on the samba server, without having to log into the samba again.
+ The user should be able to login into her/his mail (a pop/imap server) 
without having to put his/her password again (this one I already know it 
works).
+ Be able to use ldap to "centralize" the users (maybe the ldap as 
backend to kerberos).
+ Off course the profiles of mozilla and others would go into the 
server, thus creating "roaming" profiles (this is a cosmetic one, first 
I need the thing working).

I'm not sure on how to make this, I have several options, but not sure 
if it can be done (never seen something like this on the docs):

1. Make samba a kerberos service, so that samba autenticate to the users 
using the kerberos mechanism:

This implies this order:

samba -> kerberos 5 -> ldap  (can this actually be done?). (this reads: 
samba asks kerberos, and kerberos asks ldap).
workstation -> kerberos 5 -> ldap (this is what would happend on the 
client side).

In this one, I'm not sure how the log-in would work, I think that the 
workstations will not use a "domain", and hence would not use the 
autentication methos provided by samba.

2. The option I have seen in many docs:

samba -> ldap -> sasl -> kerberos (not sure how this one works, I guess 
it is somthing like the ldap is a kerberos service, and users 
autenticate to samba using the directory, but they doesn't use the 
kerberos for autentication, this would mean that the SSO (single sign 
on) would no work?).

Any docs, any help is welcome,

Thanks for the fast answer, and once again, thanks in advance for any 
help on this,

Sincerely,

Ildefonso Camargo
icamargo at merkurio.com.ve
ildefonso_camargo at yahoo.com