[Samba] Samba, Kerberos and LDAP Question

Ryan Bair ryandbair at gmail.com
Tue Jun 24 21:47:12 GMT 2008 

How will the users be authenticating? If you're going to be adding the
machines to an NT domain and you want users to authenticate against
that at login you will need to store all the samba account information
including the nt password hash in there. So although you can still
store your user info in LDAP, Kerberos won't be used for
authentication.

If you don't care about domain stuff, then you can put the samba
server into ADS mode and the Windows users can use their Kerberos
tickets to get access. I'm not sure if this will work with MIT
Kerberos on the client or if Microsoft Kerberos is required. The
biggest pain with this is then managing local users on all the
desktops whereas they are one in the same with an NT or AD domain. You
might be able to use some pGina or scripting magic to help compensate
for this last part.

As a last thought, I seem to remember that you can have samba in user
mode, set the domain, and it will still accept Kerberos credentials. I
have not done this however.

Hope this helps a bit,
--Ryan

On Tue, Jun 24, 2008 at 2:31 PM, Alex <alexthegamer at gmail.com> wrote:
> Hello Everyone,
>
> I have a question regarding Samba, Kerberos, and LDAP. Specifically, I would
> like to have users authenticate through Samba using the existing information
> stored in Kerberos and LDAP. According to the documents I have read, this is
> similar to the mechanism used by Microsoft's Active Directory, which Samba
> supports. However, I am completely confused on this issue: can MIT Kerberos
> and OpenLDAP be used as a backend to Samba? I have no Windows servers on the
> network, and attempts to authenticate against Kerberos have left all of the
> smb tools responding "cannot find DC for domain"
>
> If necessary, I will post the configuration information, but at this point,
> I only wish to find out if such a set up is currently possible. (I appolize
> if this question is common, but I could not find any clear answer after 72
> hours of searching).
>
> Sincerely,
> Alex
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list