[Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)

Chris Lawder chris at number41media.com
Wed Mar 2 16:58:46 GMT 2005


I beleive I have most of the under lying structure set up correctly at 
this time. Specific questions would include proper set up of ldap 
containers (tree?), authentication users (for adding computers etc), how 
to correctly add users and computers, and the tools used to do so. I hit 
a wall when I attempted to add a win2k workstation to the domain from 
that workstation.

But as mentioned in my original post I will most likely be rebuilding 
the Samba(PDC) server as it is currently a Slackware 10 build which 
lacks PAM support. Much of what I have read regarding NIS (/etc/passwd) 
replacement with LDAP describes using pam_ldap. At this time I have 
system(not samba) authentication working via ldap using only nsswitch 
but that seems to be restricted to {CRYPT} encrytion of passwords.

I am not yet exactly certain how Kerberos fits into this. I had added 
Kerberos support as some of the documentation I read spoke of it as a 
prerequisite for LDAP. At this time I am only using it as the rootdn 
(gssapi) authentication type for local and remote root access to the 
ldap server. But this has given me the opportunity to learn Kerberos as 
I have set up ssh auth to all unix server using it now. Fun!

As a note this is my first time working with both Kerberos and OpenLDAP. 
Much learning ahead :-)

Thank you for your help,


Thomas M. Skeren III wrote:

> Andrew Bartlett wrote:
> I've got it up with two way trusts to a w2k domain everything over a 
> ipsec vlan:
> s: 3.0.10 ports build
> FBSD: 5.3
> etc.   Any specific questions?
>> On Tue, 2005-03-01 at 15:43 -0800, Chris Lawder wrote:
>>> ... Setting up a Samba PDC with the following:
>>> FreeBSD 5.3
>>> Samba 3.0.x
>>> OpenLDAP 2.2.x
>>> Kerberos (Heimdal)
>> Have you read:
>> https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
>> Also, Howard Chu has a module in current OpenLDAP called smbk5pwd, which
>> was constructed to allow LDAP to 'set' all the different password types.
>> (Unfortunately I don't use it yet, despite being the person it was
>> constructed for...)
>> Andrew Bartlett


Number 41 Media Corporation
Suite 103 - 645 Fort Street
Victoria BC V8W 1G2

T 250.414.0410
F 250.414.0411

More information about the samba mailing list