[Samba] Samba as a PDC with LDAP and Kerberos

Ti Leggett leggett at ci.uchicago.edu
Sat Apr 23 13:07:43 GMT 2005

Ok, so I'm just trying to figure out my options here. I can:

- Use local accounts and local passwords
- Use Kerberos for authentication, but only with local user accounts
- Use a Samba PDC with and LDAP backend for accounts and password if and
only if the windows clients are not bound to a Kerberos realm

Is this correct? In the third case, let's say I have a way to sync
Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?

Or what am I missing? I know I can't create an AD domain, but I'm not
trying to. AD is combination of a lot more than just Kerberos and LDAP.

I'm curios how Apple does what seems to be just this with their
OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
Samba 3.0 (at least they claim it's only this).

On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
> Ti Leggett wrote:
> > I've been searching and researching this and I can't seem to find the
> > answers I'm looking for. I'd like to setup a Samba PDC that Windows
> > clients will join. The PDC will use an LDAP backend to get authorization
> > information (username, home directory, etc). The authentication portion
> > is handled by an MIT Kerberos KDC. I think I'm  real close to having it
> > all together but I'm not sure. I have the Windows client setup to point
> > at my KDC so authentication *should* be coming from there once the
> > authorization portion is going.
> Hehehe, it's been a year trying to do that... but no way! I'm sorry to 
> tell you, but what you want is a replacement of AD... in no way windows 
> will know about ldap and mit, without an AD domain.
> > So first question is, are sambaLMPassword and sambaNTPassword still
> > needed in LDAP for each user?
> > 
> > Here's the output from ksetup /dumpstate:
> > 
> > Machine is not configured to log on to an external KDC. Probably a
> > workgroup member
> > 	kdc = <kdc1 server>
> > 	kdc = <kdc2 server>
> > 	kpasswd = <kpasswd server>
> > 	Realm Flags = 0x0 none
> > No user mappings defined.
> Users must be somewhere to get HKEY_LOCAL* work... and they should be 
> local users (the MIT-KDC authentication works this way).
> > Second, here's what I have in LDAP so far:
> > [...]
> > I've done a smbpasswd -w <hidden samba_server password>
> > 
> > I can do a net getlocalsid and it will get the correct SID out of LDAP.
> Correct.
> > However, when I try to join my Windows client to the EXAMPLE.COM domain,
> > I can see the ldap queries happening, but the Windows client reports an
> > invalid username.
> Yes. Active Directory is not there... and it wants AD. In no way you can 
> fake AD, even though it's kerberos, ldap and smb + natural-flavours...

More information about the samba mailing list