[Samba] Newbie: SAMBA, LDAP, Kerberos as password Database

Adam Tauno Williams adam at morrison-ind.com
Mon Sep 27 15:01:13 GMT 2004

> 1. We want to deploy MIT Kerberos 5, and we want the Kerberos password 
> database to be the ONLY password database.

Use Hiemdal Kerberos and your KDC can use OpenLDAP as the back-end.
> 2. User accounts: posixAccount+sambaAccounts in OpenLDAP.
> 3. configure openLDAP to recognize {SASL} passwords and authenticate through
> Kerberos.


> 4. Block write access to all password fields in the OpenLDAP tree. (only 
> Kerberos password should be writable using the kpasswd tool)

And LDAP configuration issue, and a minor one at that.

> My main question is: using Samba 3.x and ldap_sam,  can one use
> password-based 
> authentication against the Kerberos password database by simply entering a 
> {SASL} type value in the sambaLMPassword and NTPassword fields in LDAP?

No,  but the KDC can authenticate against the NTPassword field, or you can keep
the passwords in sync.

More information about the samba mailing list