[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?

Diego Julian Remolina dijuremo at math.gatech.edu
Thu Apr 15 11:47:15 GMT 2004

If you want to see the order on how to compile them and get them to work
then look at:


If you have a Native Windows PDC and samba is acting as a secondary then
you can have kerberos authentication against the windows PDC kerberos.
This is done with a cross-realm authentication trick as I was told by
Gerald Carter (one of the developers of samba).
Samba 3 does not support kerberos auths without having a Windows PDC with
Active Directory.  If you do not have a native windows pdc then you need
to authenticate against the passwords stored in tdbsam or ldapsam but not
on kerberos.


On Wed, 14 Apr 2004, [ISO-8859-1] José Ildefonso Camargo Tolosa wrote:

> Gémes Géza wrote:
> > Hash: SHA1
> >
> > If you have no *NIX clients, then you couldn't yet get any serious
> > benefit from using Kerberos for Windows clients.
> > So in this case I would suggest to build OpenSSL, OpenLDAP, and then
> > Samba. Configure a certificate authority, if you don't want to use a
> > commercially available one. Create certificates for your OpenLDAP
> > server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS
> > or SSL connections. Configure Samba, to connect using TLS or SSL to your
> > LDAP server. In this way you can achieve the maximum security from the
> > ldap+samba setup.
> Cool. I'll try that one to make it start, and have something to begin
> working with.
> I have *nix clients.  See, what I mean to do is the following (not sure
> if it can work):
> + Install a kerberos client on the windows workstations (somebody told
> me that the win2k and up already have one (probably a non standard one))
> and, off course, on the *nix workstations.
> + Make people autenticate to a KDC.
> + Using the kerberos ticket, the user should be able to access his/her
> folders on the samba server, without having to log into the samba again.
> + The user should be able to login into her/his mail (a pop/imap server)
> without having to put his/her password again (this one I already know it
> works).
> + Be able to use ldap to "centralize" the users (maybe the ldap as
> backend to kerberos).
> + Off course the profiles of mozilla and others would go into the
> server, thus creating "roaming" profiles (this is a cosmetic one, first
> I need the thing working).
> I'm not sure on how to make this, I have several options, but not sure
> if it can be done (never seen something like this on the docs):
> 1. Make samba a kerberos service, so that samba autenticate to the users
> using the kerberos mechanism:
> This implies this order:
> samba -> kerberos 5 -> ldap  (can this actually be done?). (this reads:
> samba asks kerberos, and kerberos asks ldap).
> workstation -> kerberos 5 -> ldap (this is what would happend on the
> client side).
> In this one, I'm not sure how the log-in would work, I think that the
> workstations will not use a "domain", and hence would not use the
> autentication methos provided by samba.
> 2. The option I have seen in many docs:
> samba -> ldap -> sasl -> kerberos (not sure how this one works, I guess
> it is somthing like the ldap is a kerberos service, and users
> autenticate to samba using the directory, but they doesn't use the
> kerberos for autentication, this would mean that the SSO (single sign
> on) would no work?).
> Any docs, any help is welcome,
> Thanks for the fast answer, and once again, thanks in advance for any
> help on this,
> Sincerely,
> Ildefonso Camargo
> icamargo at merkurio.com.ve
> ildefonso_camargo at yahoo.com
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list