[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?

[Dan Hill]

Andrew Bartlett wrote:
> On Thu, 2004-04-22 at 22:29, Dan Hill wrote:
> 
>>Andrew Bartlett wrote:
>>
>>>On Thu, 2004-04-15 at 21:47, Diego Julian Remolina wrote:
>>>
>>>
>>>>If you want to see the order on how to compile them and get them to work
>>>>then look at:
>>>>
>>>>http://www.math.gatech.edu/~dijuremo/ldap/
>>>>
>>>>If you have a Native Windows PDC and samba is acting as a secondary then
>>>>you can have kerberos authentication against the windows PDC kerberos.
>>>>This is done with a cross-realm authentication trick as I was told by
>>>>Gerald Carter (one of the developers of samba).
>>>>Samba 3 does not support kerberos auths without having a Windows PDC with
>>>>Active Directory.  If you do not have a native windows pdc then you need
>>>>to authenticate against the passwords stored in tdbsam or ldapsam but not
>>>>on kerberos.
>>>
>>>
>>>See, this is the trick I've been talking about.  Technially, Samba can
>>>use kerberos without a windows DC, but there are some silly, (and some
>>>not quite so silly) reasons why that's not an option right now.
>>>
>>>However, you can add Kerberos to your existing Samba LDAP server.  That
>>>is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use
>>>your sambaNTpassword as the type 23 encryption key, and have
>>>linux/unix/OSX clients use kerberos.
>>>
>>>Andrew Bartlett
>>>
>>>
>>
>>Thanks for the link.
>>
>>Is it very difficult to add the Kerberos support after an LDAP Samba 
>>PDC/BDC setup has been configured and in production mode?
> 
> 
> Samba won't know the difference - but the new Heimdal KDC however will
> operate on exactly the same passwords!
> 
> You could even do it on a read-only LDAP slave, if you don't intend to
> change passwords (password changes are probably best done by Samba only
> at this point).
> 
> Andrew Bartlett
> 

Firstly, sorry about not sending my above message to the list.  I guess 
I hit reply rather than reply-all.

Thanks.  I will be giving Heimdel a try.

~Dan