[Samba] Samba - LDAP - Kerberos

Sean Elble elbles at sessys.com
Wed Apr 4 01:47:06 GMT 2007

On 4/3/07 1:20 PM, "Jörg Herzinger" <Bowser at physik.htu.at> wrote:

> Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and
> OpenLDAP. These two are currently working pretty well, but now I'm trying to
> add samba to this system. I've found a lot of tutorials about samba PDC with
> LDAP backend, but this is of course not quite what I want. My passwords are
> stored in the kerberos database and userdata is stored in LDAP.
> Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe
> possible to authenticate samba through PAM?

It's an idea a lot of people want to implement, but sadly, it is not
possible for Samba to use a Kerberos password database, at least not while
using encrypted passwords. The reason being is that, when Samba uses
encrypted passwords, it has no access to the password itself, only the
hashed representation. In addition, the encryption hash, if you will, that
Windows uses is nothing like the encryption hash used by Kerberos. This is a
bit of a simplification, but it is how I understand it.

I have achieved a sort of single-sign-on environment by using Samba's
password script functionality to change both the Samba password (stored in a
LDAP backend) and the Kerberos password at the same time. My particular
setup involves Samba running on the same machine as the KDC daemon, which
allows me to use these Samba parameters in smb.conf:

        unix password sync = yes
        passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u'
        passwd chat = "Authenticating as principal*"\n"Enter password for
principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n
\n"Password for *"%u"@* changed."\n

This probably would not be the best setup in an enterprise environment, but
at my in-home "lab" where I play with this kind of stuff, it works just
fine, as long as my "users" remember to change their passwords via Windows
(i.e. Not your typical passwd/kpasswd programs). Hope that helps . . .

> tia,
>     Bowser

|  Sean Elble                                     |
|  Virginia Tech, Class of 2008                   |
|  Vice President, VTLUUG                         |
|  E-Mail:   elbles at sessys.com                    |
|  Web:      http://www.sessys.com/~elbles/       |

More information about the samba mailing list