[Samba] GSSAPI/KRB5 based LDAP binds

[Enrico Scholz]

Hello,

I am using LDAP as passdb and idmap backends with Samba 3.0.3, and have
a problem with the configuration of 'ldap admin dn'. Currently, I have
to set the password for this DN with 'smbpasswd -w' (which works) and
Samba is doing simple LDAP binds then.

I would prefer a GSSAPI based LDAP authentication, which would have the
following advantages:

* the 'userPassword' attribute could be dropped (Samba is the only
  sevice which is requiring it); supporting this attribute beside krb5
  requires some effort on the LDAP server

* the authentication is passwordless; potential attackers can not hack
  passwords (krb tickets are limited on time and probably uninteresting
  for them)

* it would ease configuration with 'cfengine'; executing 'smbpasswd
  -w<password>' is really bad since '<password>' appears for a short
  time in the processlist. Since the password is stored in a binary
  format, it can not be modified in another way.



The practical usage of GSSAPI based auth would be:

1. configure a krb5 cache file (e.g. with $KRB5CCNAME, or an option in
   smb.conf)

2. periodically (with a cronjob) write the ticket into this file (when
   you are paranoid, this can happen on another machine and copied with
   ssh)

3. on demand, samba uses ldap_sasl_bind() instead of ldap_simple_bind()

Am I missing somthing and such a setup is already supported by samba, or
is it a wishlist item?




Enrico