[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?

Gémes Géza geza at kzsdabas.sulinet.hu
Thu Apr 15 13:47:36 GMT 2004

Hash: SHA1

José Ildefonso Camargo Tolosa írta:
| Gémes Géza wrote:
|> Hash: SHA1
|> If you have no *NIX clients, then you couldn't yet get any serious
|> benefit from using Kerberos for Windows clients.
|> So in this case I would suggest to build OpenSSL, OpenLDAP, and then
|> Samba. Configure a certificate authority, if you don't want to use a
|> commercially available one. Create certificates for your OpenLDAP
|> server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS
|> or SSL connections. Configure Samba, to connect using TLS or SSL to your
|> LDAP server. In this way you can achieve the maximum security from the
|> ldap+samba setup.
| Cool. I'll try that one to make it start, and have something to begin
| working with.
| I have *nix clients.  See, what I mean to do is the following (not sure
| if it can work):
| + Install a kerberos client on the windows workstations (somebody told
| me that the win2k and up already have one (probably a non standard one))
| and, off course, on the *nix workstations.
| + Make people autenticate to a KDC.
| + Using the kerberos ticket, the user should be able to access his/her
| folders on the samba server, without having to log into the samba again.
| + The user should be able to login into her/his mail (a pop/imap server)
| without having to put his/her password again (this one I already know it
| works).
| + Be able to use ldap to "centralize" the users (maybe the ldap as
| backend to kerberos).
| + Off course the profiles of mozilla and others would go into the
| server, thus creating "roaming" profiles (this is a cosmetic one, first
| I need the thing working).
| I'm not sure on how to make this, I have several options, but not sure
| if it can be done (never seen something like this on the docs):
| 1. Make samba a kerberos service, so that samba autenticate to the users
| using the kerberos mechanism:
| This implies this order:
| samba -> kerberos 5 -> ldap  (can this actually be done?). (this reads:
| samba asks kerberos, and kerberos asks ldap).
| workstation -> kerberos 5 -> ldap (this is what would happend on the
| client side).
| In this one, I'm not sure how the log-in would work, I think that the
| workstations will not use a "domain", and hence would not use the
| autentication methos provided by samba.
| 2. The option I have seen in many docs:
| samba -> ldap -> sasl -> kerberos (not sure how this one works, I guess
| it is somthing like the ldap is a kerberos service, and users
| autenticate to samba using the directory, but they doesn't use the
| kerberos for autentication, this would mean that the SSO (single sign
| on) would no work?).
Currently NO non AD Kerberos server is able to issue kerberos tickets
with MSPAC authorization data, which are needed by Win2k and upward
Windows clients. So you could get use of a Kerberos server only for *NIX
I would recommend the following setup:


Samba with ldapsam backend

Current snapshot of Heimdal with ldap database.

Configure Heimdal to use the Samba NT Password hashes. And configure
SASL, also patch it with the loriket patch.

Configure your *NIX clients, to use pam_heimdal and nss_ldap. In this
way you would have:

*NIX host-------AUTH------>Heimdal-------DATABASE ACCESS----->LDAP<----
~    |                                                          ^      |
~    |                                                          |      |
~    |                                                          |      |
~    |                                                          |      |
~    ----------------AUTHORIZATION and ACCOUNT-------------------      |
~                          information                                 |

~                                                                      |

~                                                                      |

~                                                                      |

Windows host--------------------->Samba-------------------------------


Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list