[Samba] Samba as a PDC with LDAP and Kerberos

leggett at ci.uchicago.edu leggett at ci.uchicago.edu
Wed Apr 27 18:40:12 GMT 2005

So I think I have the steps needed to get this all working, but I think I
have a chicken/egg problem now.

In order to join a machine to the Samba PDC Domain, you need to either use
a uid 0 user or one that has the SeMachineAccountPrivilege (3.0.11+)
privilege . This user must also be able to read and write to many pieces
of the LDAP directory. Now, I really would rather not have uid 0 users in
LDAP, so that leaves me with the privileges. However, in order to assign
privileges to a user or group, you must login as a Domain Admins user.
Now, by default the Domain Admins group doesn't have these privileges by
default so you must use  a uid 0 user to get these privileges assigned.
However, since I don't have a uid 0 user in LDAP, Samba doesn't recognize
root as a valid user (passdb backend = ldapsam). And from what I can tell,
the updated schema with 3.0.11 got rid of the sambaPrivilegesList has been
removed so that privileges can only be assigned using net rpc rights.

So, is there a way to get it to a point where a normal user in the Domain
Admins group can join machine and add Samba Accounts, etc without
requiring a uid 0 user to be in LDAP.

Also, what pieces are really needed to join a machine to the Samba Domain.
And what and who needs to be able to read/write LDAP for this to happen?

Pieces I've identified so far. Things starting with '?' I'm not sure about.

- Domain Users, Domain Admins, and Domain Guests groups exist with valid
sambaSIDs (posixGroup and sambaGroupMapping)
- Domain Admins group has the SeMachineAccountPrivilege privilege
- a sambaDomainName object with a valid sambaSID
- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
whose SID is in the the Domain Admins sambaSIDList
? A machine user (posixAccount sambaSamAccount) with a valid uid and
sambaSID and whose parent LDAP tree is listed as a passwd search path for

My last question is this. Does the above user listed above have to have
write access to the LDAP directory or does only the samba user whose
password is stored in private/secrets.tdb need write access to the

Because I'm using Kerberos as my authentication scheme, in order to write
to the directory you must have an admin principal (userfoo/admin).
However, these principals should not be in LDAP with UIDs because they're
never used in that aspect.

Does any of this make sense, or am I just thoroughly confused?

> Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
> backend and use pam_smbpass to keep the passwords sync'd between the
> Kerberos side and the Samba side? That way the Windows clients join the
> domain using only the LDAP information not knowing about the Kerberos
> side of things?
> I just removed the Kerberos information from my Windows client and tried
> only using, as far as I can tell, the LDAP information and the client
> still comes back saying the user name is unknown.
> On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
>> Ok, so I'm just trying to figure out my options here. I can:
>> - Use local accounts and local passwords
>> - Use Kerberos for authentication, but only with local user accounts
>> - Use a Samba PDC with and LDAP backend for accounts and password if and
>> only if the windows clients are not bound to a Kerberos realm
>> Is this correct? In the third case, let's say I have a way to sync
>> Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
>> Or what am I missing? I know I can't create an AD domain, but I'm not
>> trying to. AD is combination of a lot more than just Kerberos and LDAP.
>> I'm curios how Apple does what seems to be just this with their
>> OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
>> Samba 3.0 (at least they claim it's only this).
>> On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
>> > Ti Leggett wrote:
>> > > I've been searching and researching this and I can't seem to find
>> the
>> > > answers I'm looking for. I'd like to setup a Samba PDC that Windows
>> > > clients will join. The PDC will use an LDAP backend to get
>> authorization
>> > > information (username, home directory, etc). The authentication
>> portion
>> > > is handled by an MIT Kerberos KDC. I think I'm  real close to having
>> it
>> > > all together but I'm not sure. I have the Windows client setup to
>> point
>> > > at my KDC so authentication *should* be coming from there once the
>> > > authorization portion is going.
>> >
>> > Hehehe, it's been a year trying to do that... but no way! I'm sorry to
>> > tell you, but what you want is a replacement of AD... in no way
>> windows
>> > will know about ldap and mit, without an AD domain.
>> >
>> > > So first question is, are sambaLMPassword and sambaNTPassword still
>> > > needed in LDAP for each user?
>> > >
>> > > Here's the output from ksetup /dumpstate:
>> > >
>> > > Machine is not configured to log on to an external KDC. Probably a
>> > > workgroup member
>> > > 	kdc = <kdc1 server>
>> > > 	kdc = <kdc2 server>
>> > > 	kpasswd = <kpasswd server>
>> > > 	Realm Flags = 0x0 none
>> > > No user mappings defined.
>> >
>> > Users must be somewhere to get HKEY_LOCAL* work... and they should be
>> > local users (the MIT-KDC authentication works this way).
>> >
>> > > Second, here's what I have in LDAP so far:
>> > > [...]
>> > > I've done a smbpasswd -w <hidden samba_server password>
>> > >
>> > > I can do a net getlocalsid and it will get the correct SID out of
>> LDAP.
>> >
>> > Correct.
>> >
>> > > However, when I try to join my Windows client to the EXAMPLE.COM
>> domain,
>> > > I can see the ldap queries happening, but the Windows client reports
>> an
>> > > invalid username.
>> >
>> > Yes. Active Directory is not there... and it wants AD. In no way you
>> can
>> > fake AD, even though it's kerberos, ldap and smb + natural-flavours...
>> >

More information about the samba mailing list