[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try

Wes Modes wmodes at ucsc.edu
Thu Apr 3 20:34:30 GMT 2008

So far answers I've received on this list have been inconsistent at best 
and downright inaccurate at worst.  I'm going to try one more time and 
see if, at the very least, someone can give me a lead.  I ask you to 
consider what I'm asking remotely possible, and then seek a solution.  
(Particularly before one blasts off an ill-thought out message that says 
simple, "Can't be done," simple because you've never done it or haven't 
heard of it being done.)  So consider this a challenge or a riddle.

   1. I have an OpenLDAP directory server that I am using for user and
      group information.  I would like to use it also to authenticate
      against.  This way, whatever I hook up to it (Samba, webstuff, PHP
      apps, CMS) can both authenticate and authorize from one source. 
   2. There is a separate Kerberos server that has users' campus-wide
      passwords.  I have access to it, but do not control it.
   3. I have a separate linux file server running Samba.  PCs and Macs
      will connect to it. 

I know I can do Kerberos authentication directly from Samba, but I'd 
prefer OpenLDAP do the Kerberos connection.  Here's why:  a) I can solve 
the problem once, rather than have to work out BOTH LDAP and Kerberos 
connections for every new authenticated service I add, and b) LDAP hooks 
are more common than Kerberos hooks for other services for which I will 
eventually want authentication and authroization.  And yes, I know it 
breaks the Kerberos model.

The question and the challenge:  Any leads on how I might convince Samba 
to pass the input password on to OpenLDAP so that OpenLDAP can 
authenticate it against Kerberos?



Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services

More information about the samba mailing list