[Samba] Samba as a PDC with LDAP and Kerberos

Franco "Sensei" senseiwa at tin.it
Fri Apr 22 23:52:39 GMT 2005 

Ti Leggett wrote:
> I've been searching and researching this and I can't seem to find the
> answers I'm looking for. I'd like to setup a Samba PDC that Windows
> clients will join. The PDC will use an LDAP backend to get authorization
> information (username, home directory, etc). The authentication portion
> is handled by an MIT Kerberos KDC. I think I'm  real close to having it
> all together but I'm not sure. I have the Windows client setup to point
> at my KDC so authentication *should* be coming from there once the
> authorization portion is going.

Hehehe, it's been a year trying to do that... but no way! I'm sorry to 
tell you, but what you want is a replacement of AD... in no way windows 
will know about ldap and mit, without an AD domain.

> So first question is, are sambaLMPassword and sambaNTPassword still
> needed in LDAP for each user?
> 
> Here's the output from ksetup /dumpstate:
> 
> Machine is not configured to log on to an external KDC. Probably a
> workgroup member
> EXAMPLE.COM:
> 	kdc = <kdc1 server>
> 	kdc = <kdc2 server>
> 	kpasswd = <kpasswd server>
> 	Realm Flags = 0x0 none
> No user mappings defined.

Users must be somewhere to get HKEY_LOCAL* work... and they should be 
local users (the MIT-KDC authentication works this way).

> Second, here's what I have in LDAP so far:
> [...]
> I've done a smbpasswd -w <hidden samba_server password>
> 
> I can do a net getlocalsid and it will get the correct SID out of LDAP.

Correct.

> However, when I try to join my Windows client to the EXAMPLE.COM domain,
> I can see the ldap queries happening, but the Windows client reports an
> invalid username.

Yes. Active Directory is not there... and it wants AD. In no way you can 
fake AD, even though it's kerberos, ldap and smb + natural-flavours...

-- 
Sensei <mailto:senseiwa at tin.it> <pgp:8998A2DB>

The difference between stupidity and genius is that genius has its limits.
    Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20050422/ea6927f9/signature.bin

More information about the samba mailing list