[Samba] Samba and Heimdal Kerberos V Authentication

Matt Skerritt matt.skerritt at agrav.net
Mon Dec 11 01:46:42 GMT 2006


Like you, I would like to have the setup described below. I believe  
this setup is possible, and the client and server setup side of it is  
described at


(which was also linked earlier in this thread). I am yet to set samba  
up to do kerberos authentication as described, but I did successfully  
join a Windows XP client to my MIT KDC as described.

The biggest  problem that I've found so far is that as soon as you  
join your windows clients to the non-windows kerberos KDC, then that  
client is no longer in a domain, and all users and groups have to be  
local to the machine. (I think the computers will make a new profile  
when a user it hasn't seen before logs in, but I'm not 100% sure on  
this) ... things like roaming profiles and the like seem to become  
unavailable. At least in any useful sense.

That was completely unacceptable to me (although not surprising) as I  
have a running samba domain with roaming profiles, system policy and  
the like - all of which was unavailable to the machines  
authenticating against kerberos, so I have not pursued that setup any  
further. I am yet to find any dodges to this problem - and figure  
that until Samba 4 comes out, or until I am forced to buy a windows  
server, that it's just not going to happen :(

I hope that's at least a little helpful to you.

On 11/12/2006, at 6:00 AM, Asier Baranguán wrote:

> Uffs.. I'm a bit confused. I've readed a lot of sources against  
> this but I can't find an authoritative book or site explaining this  
> kind of setup.
> I have a working Samba PDC server (under Debian Sarge) with an  
> OpenLDAP backend working very well with VServers. We use the LDAP a  
> lot for other services but I'd like to move the authentication part  
> off OpenLDAP, and use kerberos (heimdal or mit) for that, but  
> without major changes in the client side (mostly XP and W2k):
> + Don't re-create user accounts and profiles
> + Retain current passwords
> + Users can change their password with the common Windows dialog
> + etc.
> Simply, I need to know if this setup is possible: Windows clients  
> authenticating to a Samba PDC which uses LDAP for user account  
> information and Kerberos for authentication.
> As this involves lots of software I don't know where to ask:  
> ¿kerberos lists? ¿openldap lists? ¿samba lists? I've readed a lot  
> of sources:

Matt Skerritt
matt.skerritt at agrav.net

More information about the samba mailing list