[Samba] LDAP and Kerberos configuration
Sean P. Elble
elbles at sessys.com
Mon Jul 9 18:37:51 GMT 2007
Unfortunately, this type of setup is very far from trivial. LDAP and
Kerberos combined can be quite a bit of a pain as it is, and throwing
Samba into the mix only makes things even more painful. That said, the
following link is pretty much the best thing on the web (IMHO) with regard
to doing this:
http://aput.net/~jheiss/krbldap/
The link is a bit out-of-date, and has a few errors that were pretty
painful to diagnose and fix, but I did eventually get a completely
replicated LDAP/Kerberos setup, with a single Samba PDC at the moment
(this is at home, so I'm not *THAT* concerned about the Samba box dying).
I did e-mail the author of the document to note the errors and omissions,
but I never received a reply, nor were my changes added to his site.
That's a real shame, because his documents were (and still are, for the
most part) quite good.
I don't have any of my notes on the subject handy, but the largest issues
that I can remember off hand were:
1. Some the LDAP ACL entries were not correct, or were out-of-date with
current versions of LDAP.
2. I'm pretty sure there was quite a few more steps invovled with getting
Samba to play nicely with a standard LDAP+Kerberos setup. Also, note that
with a standard MIT Kerberos distribution, you will NOT be able to store
Windows passwords in the MIT Kerberos database. The best you can do, as
things stand right now, without any patches to either Samba or Kerberos,
is sync the Kerberos passwords (to be used with everything but Samba) with
the NTLM password hashes stored in the LDAP directory. If you choose to
use Heimdal, I understand that it is possible to use the Samba NT password
hashes for the Kerberos authentication as well, per Andrew Bartlett's
reply to me on the subject from back in April
<http://lists.samba.org/archive/samba/2007-April/130835.html>.
3. Kerberos replication has a few more steps than are detailed on his
page, and really aren't all that clear in any of the official MIT Kerberos
documentation either (i.e. you must create a database on each of your
Kerberos slaves before kpropd will replicate - you won't get any error
messages that indicate that problem either).
I will try and post my notes on the subject later tonight, and I'm sure
I'd hear some corrections to make to them, but in the meantime, the link I
referenced to above is about as good as it gets if you want SSO for
Linux/UNIX and Windows systems, with the backend being served by Linux or
UNIX. At least until Samba 4 comes out, anyway . . . ;-) :-)
--
+-------------------------------------------------+
| Sean Elble |
| Virginia Tech, Class of 2008 |
| Vice President, VTLUUG |
| E-Mail: elbles at sessys.com |
| Web: http://www.sessys.com/~elbles/ |
| Cell: 860.946.9477 |
+-------------------------------------------------+
On Tue, 3 Jul 2007, Nick Bartos wrote:
> Good luck, I've been looking for the same thing for some time now.
>
>
>>
>> Hello,
>>
>> I am looking for configuration of SAMBA 3.0.25a with LDAP registry and
>> Authentication with Kerberos.
>> Any help is appreciated.
>>
>> Iliya
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
> ________________________________________________________________________
> SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
> Powered By ClamAV & SpamAssassin
>
________________________________________________________________________
SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin
More information about the samba
mailing list