[Samba] Samba as a PDC with LDAP and Kerberos

FM dist-list at LEXUM.UMontreal.CA
Mon Apr 25 19:58:15 GMT 2005

My setup :
Windows stations

All users (posix and ldap) are in Openldap.
All my ldap password are : {SASL}USER at REALM
I use saslauthd so I can connect to ldap using simplebind with password 
this password CANNOT be changed (denied by the slapd.access.conf file)

Samba cannot use MIt kerberos for the password so my little trick :
I create a perl scrip using Authen::Krb5::Admin that use un keytab for 
authentifiaction :krb5_update_pwd.pl

in the smb.conf :
    ldap passwd sync = No
    unix password sync = Yes
    passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
%n\n *passwd:*all*authentication*tokens*updated*successfully*
    passwd chat = *Password:* %n\n *Again:* %n\n *Changed*

So when Windows users change their password(from the change password 
option in Windows), SAMBA called /krb5_update_pwd.pl that also update 
the KERBEROS password.

Linux users just have to use :
smbpasswd -r PDC_SERVER
That command update SAMBA password and again it called 
/krb5_update_pwd.pl to sync the kerberos password

I know there are some short comings (password policies for example). But 
it's the closer i get :-)

Hope this can help :-)

Ti Leggett wrote:
> Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
> backend and use pam_smbpass to keep the passwords sync'd between the
> Kerberos side and the Samba side? That way the Windows clients join the
> domain using only the LDAP information not knowing about the Kerberos
> side of things?
> I just removed the Kerberos information from my Windows client and tried
> only using, as far as I can tell, the LDAP information and the client
> still comes back saying the user name is unknown.
> On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
>>Ok, so I'm just trying to figure out my options here. I can:
>>- Use local accounts and local passwords
>>- Use Kerberos for authentication, but only with local user accounts
>>- Use a Samba PDC with and LDAP backend for accounts and password if and
>>only if the windows clients are not bound to a Kerberos realm
>>Is this correct? In the third case, let's say I have a way to sync
>>Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
>>Or what am I missing? I know I can't create an AD domain, but I'm not
>>trying to. AD is combination of a lot more than just Kerberos and LDAP.
>>I'm curios how Apple does what seems to be just this with their
>>OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
>>Samba 3.0 (at least they claim it's only this).
>>On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
>>>Ti Leggett wrote:
>>>>I've been searching and researching this and I can't seem to find the
>>>>answers I'm looking for. I'd like to setup a Samba PDC that Windows
>>>>clients will join. The PDC will use an LDAP backend to get authorization
>>>>information (username, home directory, etc). The authentication portion
>>>>is handled by an MIT Kerberos KDC. I think I'm  real close to having it
>>>>all together but I'm not sure. I have the Windows client setup to point
>>>>at my KDC so authentication *should* be coming from there once the
>>>>authorization portion is going.
>>>Hehehe, it's been a year trying to do that... but no way! I'm sorry to 
>>>tell you, but what you want is a replacement of AD... in no way windows 
>>>will know about ldap and mit, without an AD domain.
>>>>So first question is, are sambaLMPassword and sambaNTPassword still
>>>>needed in LDAP for each user?
>>>>Here's the output from ksetup /dumpstate:
>>>>Machine is not configured to log on to an external KDC. Probably a
>>>>workgroup member
>>>>	kdc = <kdc1 server>
>>>>	kdc = <kdc2 server>
>>>>	kpasswd = <kpasswd server>
>>>>	Realm Flags = 0x0 none
>>>>No user mappings defined.
>>>Users must be somewhere to get HKEY_LOCAL* work... and they should be 
>>>local users (the MIT-KDC authentication works this way).
>>>>Second, here's what I have in LDAP so far:
>>>>I've done a smbpasswd -w <hidden samba_server password>
>>>>I can do a net getlocalsid and it will get the correct SID out of LDAP.
>>>>However, when I try to join my Windows client to the EXAMPLE.COM domain,
>>>>I can see the ldap queries happening, but the Windows client reports an
>>>>invalid username.
>>>Yes. Active Directory is not there... and it wants AD. In no way you can 
>>>fake AD, even though it's kerberos, ldap and smb + natural-flavours...

More information about the samba mailing list