[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
dwh6 at cwru.edu
Thu Apr 22 13:48:37 GMT 2004
Andrew Bartlett wrote:
> On Thu, 2004-04-22 at 22:29, Dan Hill wrote:
>>Andrew Bartlett wrote:
>>>On Thu, 2004-04-15 at 21:47, Diego Julian Remolina wrote:
>>>>If you want to see the order on how to compile them and get them to work
>>>>then look at:
>>>>If you have a Native Windows PDC and samba is acting as a secondary then
>>>>you can have kerberos authentication against the windows PDC kerberos.
>>>>This is done with a cross-realm authentication trick as I was told by
>>>>Gerald Carter (one of the developers of samba).
>>>>Samba 3 does not support kerberos auths without having a Windows PDC with
>>>>Active Directory. If you do not have a native windows pdc then you need
>>>>to authenticate against the passwords stored in tdbsam or ldapsam but not
>>>See, this is the trick I've been talking about. Technially, Samba can
>>>use kerberos without a windows DC, but there are some silly, (and some
>>>not quite so silly) reasons why that's not an option right now.
>>>However, you can add Kerberos to your existing Samba LDAP server. That
>>>is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use
>>>your sambaNTpassword as the type 23 encryption key, and have
>>>linux/unix/OSX clients use kerberos.
>>Thanks for the link.
>>Is it very difficult to add the Kerberos support after an LDAP Samba
>>PDC/BDC setup has been configured and in production mode?
> Samba won't know the difference - but the new Heimdal KDC however will
> operate on exactly the same passwords!
> You could even do it on a read-only LDAP slave, if you don't intend to
> change passwords (password changes are probably best done by Samba only
> at this point).
> Andrew Bartlett
Firstly, sorry about not sending my above message to the list. I guess
I hit reply rather than reply-all.
Thanks. I will be giving Heimdel a try.
More information about the samba