[Samba] Samba + LDAP + ¿Kerberos?

Jim Hogan jimh at u.washington.edu
Thu Dec 28 20:22:48 GMT 2006

To answer my own question.

Howard Chu, on the fedora-directory-users list, answered a slightly 
different version of the same query from me and I think has put me out 
of my misery :) 


Now, my University has recently implemented an enterprise AD sign-on 
infrastructure that I could conceivable use for Samba Windows clients 
(via one-way trust) but I'm not sure where that would leave Linux / OS X 
machines.  ('Course if I make all of *them* Samba clients....)


Jim Hogan wrote:
> Michael, All,
> I have been going back through the Samba archives looking to see if a 
> Samba+LDAP+Kerberos configuration is possible given my situation.  
> Mostly I see posts that say "You can't get there from here.", but I 
> don't want to give up too easily.  My situation is this:
> I have a new Samba 3.x domain with LDAP back end (using Fedora 
> Directory Server) and this stores user accounts for my university 
> department (about 300) and groups.  For UID this Samba domain uses the 
> unique ID employed by the university.  The university employs a very 
> mature SSO infrastructure that includes Kerberos.  I would like my 
> Samba domain to use university Kerberos realm for authentication (SSO) 
> while I retain control over authorization and departmental 
> users/groups/shares.  We have a mix of Windows, Macs and Linux, so a 
> generalizable Kerberos authentication has even more appeal.
> I have seen Samba How-To docs on using client Kerberos in AD 
> environment with examples of smb.conf  entries for this.
> The Fedora Directory Server Wiki has a fairly straightforward entry on 
> how to use FDS with Kerberos:
>        http://directory.fedora.redhat.com/wiki/Howto:Kerberos
> What I am not seeing is a way to combine the two -- configure Samba 
> clients as kerberos client but which then presents kerberos credential 
> to Samba backend (LDAP) to satisfy authentication.  I can't find it, 
> but I saw one article that seemed to suggest storing Kerberos 
> credentials in LDAP NTPasswd field -- made it seem like LDAP/Samba 
> server would act like proxy for Samba client PCs -- but I am having a 
> hard time seeing how you could avoid having all client PCs act as 
> Kerberos clients.
> Like I say, I see some "not possible" replies, but some of them are 
> pretty dated.  I also see some replies (like this one from 2004: 
> http://lists.samba.org/archive/samba/2004-April/084387.html ) which 
> propose some slightly different ways of achieving similar ends, but 
> not quite what I want to accomplish.
> Obviously, if anybody has already implemented the type of solution I 
> lay out, I would buy them lunch (real or virtual) if they would share 
> the details.  Alternatively if anybody can authoritatively  spell out 
> why this just won't work, then I guess I can move on to the "grieving" 
> stage :)  If there is a grey area here, some opportunity to 
> experiment, well, I'm game.
> Thanks!
> Jim
> Michael Schurter wrote:
>> Asier Baranguán wrote:
>>> Hi!
>>> Perhaps this is not the appropiate list, but I need some advices.
>>> I have a working Samba PDC with a LDAP backend over a secure TLS 
>>> connection, with W2000 and XP clients. I've readed in a lot of 
>>> places that Kerberos is a very nice thing to have in the setup but I 
>>> cannot see why. I know the foundations of kerberos but I can't see 
>>> how much "value" will add to the setup.
>>> I'm missing something? please, help.
>> Windows clients (as well as properly configured UNIX clients) will 
>> use Kerberos to authenticate against your PDC and between one 
>> another.  The advantage Kerberos has is that it allows single sign 
>> on: 2 clients both authenticate once against the PDC, and then they 
>> can use their kerberos tickets to authenticate one another as well 
>> (without having to manually login with usernames and passwords again).

More information about the samba mailing list