[Samba] Samba to Kerberos via OpenLDAP

[Wes Modes]

First, I'll just say this is a question principally about the arcane 
mysteries of Samba to OpenLDAP authentication. 

I've had Samba to OpenLDAP authentication running for a while now using 
the samba.schema and the ldapsam module.  Now I'd like to understand a 
bit more about how that works in order to take it a step further and get 
openLDAP to bind against a Kerberos database via SASL.

An aside;  Yes, I'd heard that Samba can be configured to authenticate 
against Kerberos directly, but for my own reasons, I'd prefer that Samba 
talk only to OpenLDAP, and OpenLDAP can do the authentication.  I'll 
fall back on the Samba to Kerberos direct route if I can't find a way to 
do what I want.

I've noted that the Samba schema and smbldap-tools add to the user 
record two Samba specific password fields,  sambaNTPassword and 
sambaLMPassword. 

If I have the ldapsam module specified as the passdb backend in 
smb.conf, is OpenLDAP merely storing the samba passwords while Samba 
does the password comparisons?  Or does OpenLDAP do the authentication 
and return a yes or no?

Is it possible to have Samba defer authentication to OpenLDAP?  If so, I 
can have OpenLDAP use the {SASL} method to do authentication via kerberos.

Wes

-- 

Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208