[Samba] Samba - LDAP - Kerberos

Andrew Bartlett abartlet at samba.org
Wed Apr 4 12:04:35 GMT 2007

On Tue, 2007-04-03 at 21:47 -0400, Sean Elble wrote:
> On 4/3/07 1:20 PM, "Jörg Herzinger" <Bowser at physik.htu.at> wrote:
> > Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and
> > OpenLDAP. These two are currently working pretty well, but now I'm trying to
> > add samba to this system. I've found a lot of tutorials about samba PDC with
> > LDAP backend, but this is of course not quite what I want. My passwords are
> > stored in the kerberos database and userdata is stored in LDAP.
> > Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe
> > possible to authenticate samba through PAM?
> > 
> It's an idea a lot of people want to implement, but sadly, it is not
> possible for Samba to use a Kerberos password database, at least not while
> using encrypted passwords. The reason being is that, when Samba uses
> encrypted passwords, it has no access to the password itself, only the
> hashed representation. In addition, the encryption hash, if you will, that
> Windows uses is nothing like the encryption hash used by Kerberos. This is a
> bit of a simplification, but it is how I understand it.

This is incorrect.  Heimdal can use Samba's password database as a
backend, because the sambaNTPassword is what Microsoft made the
arcfour-hmac-md5 kerberos key out of. 

> I have achieved a sort of single-sign-on environment by using Samba's
> password script functionality to change both the Samba password (stored in a
> LDAP backend) and the Kerberos password at the same time. My particular
> setup involves Samba running on the same machine as the KDC daemon, which
> allows me to use these Samba parameters in smb.conf:
>         unix password sync = yes
>         passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u'
>         passwd chat = "Authenticating as principal*"\n"Enter password for
> principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n
> \n"Password for *"%u"@* changed."\n
> This probably would not be the best setup in an enterprise environment, but
> at my in-home "lab" where I play with this kind of stuff, it works just
> fine, as long as my "users" remember to change their passwords via Windows
> (i.e. Not your typical passwd/kpasswd programs). Hope that helps . . .

The other option is the smbk5pwd module for openldap, and setting 'ldap
password sync = yes'.  I've not used it myself, but I'm told it works.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20070404/855a8733/attachment.bin

More information about the samba mailing list