[Samba] Active Directory to OpenLDAP+Kerberos on Linux

Gary Dale garydale at torfree.net
Fri Oct 14 04:26:10 GMT 2005

Akshay Guleria wrote:

>>>My readings of the docs is that while Samba can't be a DC in an AD
>>>domain, there is nothing to stop it from being a DC in an LDAP/Kerberos
>>You can setup Samba3 to honour an MIT kerberos realm (getting the
>>clients to function is a different matter, but possible).  You can also
>>have Heimdal backed onto Samba3's LDAP database, which you can populate
>>with the vampire tools.  And yes,, the goal of Samba4 is to host an
>>AD-like domain, using the AD protocols.
>so, as i understand this, one can setup samba+MIT kerberos to achieve
>authentication and file & print services just like AD does. Right!?
>so, whats the challenge here? -
>1. migrating the data from AD to LDAP.  munging the passwords and then
>importing it in LDAP.
>2. do i need to re-join the clients to the samba domain. !?
>3. for the time being, i think incporporating DNS, DHCP like AD does
>is out of the scope of our discussion.
>Haven;t found any thing on web that can help me setting this kind of a
>thing. Can you please point me to such a documentation.
Sorry, those who have been able to do it aren't telling.  :(

I tried earlier without success. I'd suggest trying first to get LDAP 
working with Samba before tackling Kerberos. The previous responder 
suggested that you can use net vampire to populate LDAP. I don't see any 
reason why it shouldn't work.

The difficulty with getting this to work is the different parts weren't 
designed specifically to work together. You have to configure them to do 
so. This makes LDAP a big step up from tdb as a samba database. Try the 
Samba Howto Collection and the Samba By Example documents on 
www.samba.org. They do cover the topics but maybe not in enough detail 
for any particular distribution. Expect to do some playing around to get 
it to work.

More information about the samba mailing list