[Samba] Kerberos support in 3.0?

Andrew Bartlett abartlet at samba.org
Mon Feb 23 20:52:28 GMT 2004

On Tue, 2004-02-24 at 04:43, pll+samba at permabit.com wrote:
> Hi all,
> I'm about to begin building a single-sign-on environment (hopefully). 
> We just brought our first set of Windows-based PCs in, and would like 
> to integrate them into our existing Linux/MacOS X environment.
> We are currently running MIT Kerberos, and would like to create a 
> Samba PDC which authenticates against these KDCs.  Another parallel 
> project is to migrate to OpenLDAP.  I haven't found a lot of 
> documentation regarding Samba, LDAP, *and* kerberos.  It seems the 
> LDAP information is there, but the krb5 stuff hasn't been addressed 
> as well.
> Can someone provide pointers to any existing docs on using Samba and 
> Kerberos?  
> The things I'm not clear on are:
>   - does the Windows client need krb5 client sw installed to auth 
>     directly against the kdc, or the it proxy this through the Samba 
>     PDC?
>   - Does the Samba PDC auth directly against the kdc, or punt that to 
>     the LDAP server?

Getting windows clients to talk to MIT krb5 is possible, but my
understanding is that you loose most of the benifits of NT domain
intergration.  (You end up maintaining a lot of local accounts).

I've done some work on the reverse.  We have an NT password database
(samba's passdb backend) and we can use that same database to become a
kerberos server.  

I know it's not really what you were looking for, but here is my posting
to the samba-technical list:

At the very least, what I have done here makes Heimdal's LDAP backend
function again.  

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040224/71b4500c/attachment.bin

More information about the samba mailing list