[Samba] Kerberos authentication for non-windows KDCs

Sean Elble elbles at sessys.com
Tue Mar 11 18:07:47 GMT 2008 

On 3/11/08 1:46 PM, "Wes Modes" <wmodes at ucsc.edu> wrote:

> I was told recently that Kerberos authentication won't work against a
> non-windows KDC.  Is that accurate?  So for instance, it is not possible
> for Samba running on say RHEL, to authenticate against a Linux server
> running MIT Kerberos?

In general, it is not possible for *Samba* to authenticate against a MIT
Kerberos server. Technically, it's not possible, period, with Samba 3. With
Samba 4, I am less sure, but I would assume you are trying to work with
Samba 3.

> 
> Additionally, many people said that setting this up was
> well-documented.  Any suggestions of particularly good docs / how-to's?'

If you are looking to integrate OpenLDAP and MIT Kerberos with Samba, one of
the best guides I can think of is here:

http://aput.net/~jheiss/krbldap/

It's a little old, and I had to change a few things to get everything
working properly, but it does work. Note that Samba will still pickup
passwords via OpenLDAP - It will NOT use Kerberos as a native authentication
mechanism. The best you can do is either sync your Kerberos password with
the sambaNTPassword attribute OR use Heimdal Kerberos, which I believe
allows for storing the password database in OpenLDAP as a hash that Samba
can use as well. It sort of defeats the original purpose of Kerberos, as the
passwords still go across the wire, but at least it cuts down on the number
of authentication databases that need to be maintained.

> 
> And lastly, is there anyone here currently who's set up both Kerberos
> authentication AND an OpenLDAP user/group data repository for their
> Samba server?

I'm not using Kerberos authentication for Samba, but I am using it for
everything else, along with the OpenLDAP user/group data repository. It
works quite well, as long as you can find a decent way to sync the
passwords...

> 
> W.

-- 
+-------------------------------------------------
|  Sean Elble      
|  Virginia Tech, Class of 2009
|  President, VTLUUG
|  E-Mail:   elbles at sessys.com
|  Web:      http://www.sessys.com/~elbles/
|  Cell:     860.946.9477
+-------------------------------------------------

More information about the samba mailing list