[Samba] Samba + LDAP + ¿Kerberos?
jimh at u.washington.edu
Thu Dec 28 17:51:01 GMT 2006
I have been going back through the Samba archives looking to see if a
Samba+LDAP+Kerberos configuration is possible given my situation.
Mostly I see posts that say "You can't get there from here.", but I
don't want to give up too easily. My situation is this:
I have a new Samba 3.x domain with LDAP back end (using Fedora Directory
Server) and this stores user accounts for my university department
(about 300) and groups. For UID this Samba domain uses the unique ID
employed by the university. The university employs a very mature SSO
infrastructure that includes Kerberos. I would like my Samba domain to
use university Kerberos realm for authentication (SSO) while I retain
control over authorization and departmental users/groups/shares. We
have a mix of Windows, Macs and Linux, so a generalizable Kerberos
authentication has even more appeal.
I have seen Samba How-To docs on using client Kerberos in AD environment
with examples of smb.conf entries for this.
The Fedora Directory Server Wiki has a fairly straightforward entry on
how to use FDS with Kerberos:
What I am not seeing is a way to combine the two -- configure Samba
clients as kerberos client but which then presents kerberos credential
to Samba backend (LDAP) to satisfy authentication. I can't find it, but
I saw one article that seemed to suggest storing Kerberos credentials in
LDAP NTPasswd field -- made it seem like LDAP/Samba server would act
like proxy for Samba client PCs -- but I am having a hard time seeing
how you could avoid having all client PCs act as Kerberos clients.
Like I say, I see some "not possible" replies, but some of them are
pretty dated. I also see some replies (like this one from 2004:
http://lists.samba.org/archive/samba/2004-April/084387.html ) which
propose some slightly different ways of achieving similar ends, but not
quite what I want to accomplish.
Obviously, if anybody has already implemented the type of solution I lay
out, I would buy them lunch (real or virtual) if they would share the
details. Alternatively if anybody can authoritatively spell out why
this just won't work, then I guess I can move on to the "grieving" stage
:) If there is a grey area here, some opportunity to experiment, well,
Michael Schurter wrote:
> Asier Baranguán wrote:
>> Perhaps this is not the appropiate list, but I need some advices.
>> I have a working Samba PDC with a LDAP backend over a secure TLS
>> connection, with W2000 and XP clients. I've readed in a lot of places
>> that Kerberos is a very nice thing to have in the setup but I cannot
>> see why. I know the foundations of kerberos but I can't see how much
>> "value" will add to the setup.
>> I'm missing something? please, help.
> Windows clients (as well as properly configured UNIX clients) will use
> Kerberos to authenticate against your PDC and between one another.
> The advantage Kerberos has is that it allows single sign on: 2 clients
> both authenticate once against the PDC, and then they can use their
> kerberos tickets to authenticate one another as well (without having
> to manually login with usernames and passwords again).
More information about the samba