[Samba] Samba + LDAP + ¿Kerberos?

[Jim Hogan]

Michael, All,

I have been going back through the Samba archives looking to see if a 
Samba+LDAP+Kerberos configuration is possible given my situation.  
Mostly I see posts that say "You can't get there from here.", but I 
don't want to give up too easily.  My situation is this:


I have a new Samba 3.x domain with LDAP back end (using Fedora Directory 
Server) and this stores user accounts for my university department 
(about 300) and groups.  For UID this Samba domain uses the unique ID 
employed by the university.  The university employs a very mature SSO 
infrastructure that includes Kerberos.  I would like my Samba domain to 
use university Kerberos realm for authentication (SSO) while I retain 
control over authorization and departmental users/groups/shares.  We 
have a mix of Windows, Macs and Linux, so a generalizable Kerberos 
authentication has even more appeal.


I have seen Samba How-To docs on using client Kerberos in AD environment 
with examples of smb.conf  entries for this.


The Fedora Directory Server Wiki has a fairly straightforward entry on 
how to use FDS with Kerberos:

        http://directory.fedora.redhat.com/wiki/Howto:Kerberos

What I am not seeing is a way to combine the two -- configure Samba 
clients as kerberos client but which then presents kerberos credential 
to Samba backend (LDAP) to satisfy authentication.  I can't find it, but 
I saw one article that seemed to suggest storing Kerberos credentials in 
LDAP NTPasswd field -- made it seem like LDAP/Samba server would act 
like proxy for Samba client PCs -- but I am having a hard time seeing 
how you could avoid having all client PCs act as Kerberos clients.


Like I say, I see some "not possible" replies, but some of them are 
pretty dated.  I also see some replies (like this one from 2004: 
http://lists.samba.org/archive/samba/2004-April/084387.html ) which 
propose some slightly different ways of achieving similar ends, but not 
quite what I want to accomplish.


Obviously, if anybody has already implemented the type of solution I lay 
out, I would buy them lunch (real or virtual) if they would share the 
details.  Alternatively if anybody can authoritatively  spell out why 
this just won't work, then I guess I can move on to the "grieving" stage 
:)  If there is a grey area here, some opportunity to experiment, well, 
I'm game.

Thanks!

Jim

Michael Schurter wrote:
> Asier Baranguán wrote:
>> Hi!
>>
>> Perhaps this is not the appropiate list, but I need some advices.
>>
>> I have a working Samba PDC with a LDAP backend over a secure TLS 
>> connection, with W2000 and XP clients. I've readed in a lot of places 
>> that Kerberos is a very nice thing to have in the setup but I cannot 
>> see why. I know the foundations of kerberos but I can't see how much 
>> "value" will add to the setup.
>>
>>
>> I'm missing something? please, help.
>
> Windows clients (as well as properly configured UNIX clients) will use 
> Kerberos to authenticate against your PDC and between one another.  
> The advantage Kerberos has is that it allows single sign on: 2 clients 
> both authenticate once against the PDC, and then they can use their 
> kerberos tickets to authenticate one another as well (without having 
> to manually login with usernames and passwords again).