[Samba] Samba and Heimdal Kerberos V Authentication

Asier Baranguán abaranguan at elpagestion.com
Sun Dec 10 19:00:56 GMT 2006

Gémes Géza escribió:

> Yes I use it with ~1000 users, and it's working like charm, you just
> have to take care of the ACLs of passwords stored on LDAP as stated on
> Samba and Heimdal documentations, also if you want nonsasl binds you may
> want to set the userPassword attributes to
> {SASL}theusersuid at YOUR.KERBEROS.REALM. I've attached my
> /usr/lib/sasl2/slapd.conf, /etc/default/saslauthd (I use debian), and
> hdb.schema (I've found it googleing).

Uffs.. I'm a bit confused. I've readed a lot of sources against this but I can't find an 
authoritative book or site explaining this kind of setup.

I have a working Samba PDC server (under Debian Sarge) with an OpenLDAP backend working 
very well with VServers. We use the LDAP a lot for other services but I'd like to move the 
authentication part off OpenLDAP, and use kerberos (heimdal or mit) for that, but without 
major changes in the client side (mostly XP and W2k):

+ Don't re-create user accounts and profiles
+ Retain current passwords
+ Users can change their password with the common Windows dialog
+ etc.

Simply, I need to know if this setup is possible: Windows clients authenticating to a 
Samba PDC which uses LDAP for user account information and Kerberos for authentication.

As this involves lots of software I don't know where to ask: ¿kerberos lists? ¿openldap 
lists? ¿samba lists? I've readed a lot of sources:

| SysAdmin magazine: "Centralized user management Kerberos+LDAP"
| http://www.samag.com/documents/s=9494/sam0502a/0502a.htm
| Turbo Frederiksson HOWTO
| http://www.bayour.com/LDAPv3-HOWTO.html
| Joey Heiss HOWTO "Replacing NIS with Kerberos and LDAP"
| http://aput.net/~jheiss/krbldap/
| "OpenAFS, Kerberos 5, LDAP and Linux"
| http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html

But perhaps the trees don't let me see the forest.

*ANY* pinter would be greatly appreciated.

More information about the samba mailing list