[Samba] LDAP and Kerberos configuration

Sean P. Elble elbles at sessys.com
Mon Jul 9 18:37:51 GMT 2007


Unfortunately, this type of setup is very far from trivial. LDAP and 
Kerberos combined can be quite a bit of a pain as it is, and throwing 
Samba into the mix only makes things even more painful. That said, the 
following link is pretty much the best thing on the web (IMHO) with regard 
to doing this:

http://aput.net/~jheiss/krbldap/

The link is a bit out-of-date, and has a few errors that were pretty 
painful to diagnose and fix, but I did eventually get a completely 
replicated LDAP/Kerberos setup, with a single Samba PDC at the moment 
(this is at home, so I'm not *THAT* concerned about the Samba box dying).

I did e-mail the author of the document to note the errors and omissions, 
but I never received a reply, nor were my changes added to his site. 
That's a real shame, because his documents were (and still are, for the 
most part) quite good.

I don't have any of my notes on the subject handy, but the largest issues 
that I can remember off hand were:

1. Some the LDAP ACL entries were not correct, or were out-of-date with 
current versions of LDAP.

2. I'm pretty sure there was quite a few more steps invovled with getting 
Samba to play nicely with a standard LDAP+Kerberos setup. Also, note that 
with a standard MIT Kerberos distribution, you will NOT be able to store 
Windows passwords in the MIT Kerberos database. The best you can do, as 
things stand right now, without any patches to either Samba or Kerberos, 
is sync the Kerberos passwords (to be used with everything but Samba) with 
the NTLM password hashes stored in the LDAP directory. If you choose to 
use Heimdal, I understand that it is possible to use the Samba NT password 
hashes for the Kerberos authentication as well, per Andrew Bartlett's 
reply to me on the subject from back in April 
<http://lists.samba.org/archive/samba/2007-April/130835.html>.

3. Kerberos replication has a few more steps than are detailed on his 
page, and really aren't all that clear in any of the official MIT Kerberos 
documentation either (i.e. you must create a database on each of your 
Kerberos slaves before kpropd will replicate - you won't get any error 
messages that indicate that problem either).

I will try and post my notes on the subject later tonight, and I'm sure 
I'd hear some corrections to make to them, but in the meantime, the link I 
referenced to above is about as good as it gets if you want SSO for 
Linux/UNIX and Windows systems, with the backend being served by Linux or 
UNIX. At least until Samba 4 comes out, anyway . . . ;-) :-)

--
+-------------------------------------------------+
|  Sean Elble                                     |
|  Virginia Tech, Class of 2008                   |
|  Vice President, VTLUUG                         |
|  E-Mail:   elbles at sessys.com                    |
|  Web:      http://www.sessys.com/~elbles/       |
|  Cell:     860.946.9477                         |
+-------------------------------------------------+

On Tue, 3 Jul 2007, Nick Bartos wrote:

> Good luck, I've been looking for the same thing for some time now.
>
>
>>
>> Hello,
>>
>> I am looking for configuration of SAMBA  3.0.25a with LDAP registry and
>> Authentication with Kerberos.
>> Any help is appreciated.
>>
>> Iliya
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> ________________________________________________________________________
> SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
> Powered By ClamAV & SpamAssassin
>
________________________________________________________________________
SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin


More information about the samba mailing list