[Samba] Samba, Kerberos and LDAP Question

Alex alexthegamer at gmail.com
Wed Jun 25 21:33:54 GMT 2008 

Hello again,

Ideally, I would have the users authenticate with the existing log ins in
LDAP/Kerberos. The users already have access to their own machines, but need
a mechanism to be able to access the shared data that they already have on
Linux (these are roaming laptops, profiles and network login and unneeded).

In case I am not clear, I do not need Samba to be a domain controller. In
fact, I don't need a domain. I just want to use the existing user
information available in LDAP and Kerberos, and expose it to Samba for
minimal administrative overhead (i.e., I don't want to maintain an
smbpasswd).

Thank you in advance,
Alex

On Tue, Jun 24, 2008 at 5:47 PM, Ryan Bair <ryandbair at gmail.com> wrote:

> How will the users be authenticating? If you're going to be adding the
> machines to an NT domain and you want users to authenticate against
> that at login you will need to store all the samba account information
> including the nt password hash in there. So although you can still
> store your user info in LDAP, Kerberos won't be used for
> authentication.
>
> If you don't care about domain stuff, then you can put the samba
> server into ADS mode and the Windows users can use their Kerberos
> tickets to get access. I'm not sure if this will work with MIT
> Kerberos on the client or if Microsoft Kerberos is required. The
> biggest pain with this is then managing local users on all the
> desktops whereas they are one in the same with an NT or AD domain. You
> might be able to use some pGina or scripting magic to help compensate
> for this last part.
>
> As a last thought, I seem to remember that you can have samba in user
> mode, set the domain, and it will still accept Kerberos credentials. I
> have not done this however.
>
> Hope this helps a bit,
> --Ryan
>
> On Tue, Jun 24, 2008 at 2:31 PM, Alex <alexthegamer at gmail.com> wrote:
> > Hello Everyone,
> >
> > I have a question regarding Samba, Kerberos, and LDAP. Specifically, I
> would
> > like to have users authenticate through Samba using the existing
> information
> > stored in Kerberos and LDAP. According to the documents I have read, this
> is
> > similar to the mechanism used by Microsoft's Active Directory, which
> Samba
> > supports. However, I am completely confused on this issue: can MIT
> Kerberos
> > and OpenLDAP be used as a backend to Samba? I have no Windows servers on
> the
> > network, and attempts to authenticate against Kerberos have left all of
> the
> > smb tools responding "cannot find DC for domain"
> >
> > If necessary, I will post the configuration information, but at this
> point,
> > I only wish to find out if such a set up is currently possible. (I
> appolize
> > if this question is common, but I could not find any clear answer after
> 72
> > hours of searching).
> >
> > Sincerely,
> > Alex
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
>

More information about the samba mailing list