[Samba] samba + mit krb5 + ldap hypothetical

Brian Thompson brian at eng.wayne.edu
Fri Feb 8 05:32:12 GMT 2008

Hi all,
I've read through much of the list archives and other various docs and
am now more confused than ever regarding how samba interacts with
external services. All of the docs seem to assume that a Windows AD
server is part of the picture when ldap/krb5 are involved.

What I'm trying to do is set up a samba fileserver that Windows clients
can connect to via something like:

"net use h: \\sambaserver\myhomedir /user:user123 pw123"

a) "sambaserver" is the name of my fileserver where the disk space is
located, but it doesn't have any actual user accounts on it other than
root, etc.

b) "user123" is a valid person within a ldap directory which does contain
valid information for the posixAccount objectclass (the same information
that would normally be seen in /etc/passwd including their uid, gid,
homedir path, but doesn't contain their actual password).

c) "user123" is also a valid prinicpal within a MIT krb5 realm and "pw123"
is their krb5 realm password.

d) "user123" isn't relevant at all on the windows client side of things
(there's no AD server or centralized Windows administration) so I'm not
trying to join the samba server to a Windows AD domain or use any
preexisting Windows account info.

e) The ldap directory and MIT kdc aren't administrated by my group
so I'd like to avoid having to make any changes to them if possible.

Again my goal is to let the Windows clients mount some disk space from
the samba server using their krb5 credentials and make their effective uid,
gid, and home dir path equal to what is stored in the ldap directory so that
permissions are correct and the proper path gets mounted. Any tips or
pointers would be greatly appreciated.


More information about the samba mailing list