[Samba] nslcd: kerberos vs. simple bind

steve steve at steve-ss.com
Wed Aug 28 11:11:19 MDT 2013

On Wed, 2013-08-28 at 18:37 +0200, Marc Muehlfeld wrote:
> Hello,
> I took this out of the "OpenSSH auth in SAMBA4 LDAP" thread, because it 
> was drifting away from it's origin question :-)
> I played this afternoon a bit with nslcd and kerberos for extending my 
> Wiki HowTo. But as more as I read, one question comes bigger and bigger: 
> What are the advantages of kerberos against simple bind with DN and 
> password?
> Simple bind method: Create a user, add the credentials to the root only 
> readable file nslcd.conf. Done
> Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok. 
> This is all done only once.). But then, if I understand it right, I need 
> something that renews the kerberos ticket from time to time. In your 
> blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it 
> in their repositories. So something more to compile and to be ensured 
> that it starts and run. :-)
> So currently I don't see what are the advantages of Kerberos and in 
> which way it should be easier or anything else. :-)
> Maybe someone can give me (Kerberos beginner) some answers/hints. :-)

If you're happy with plain text passwords being passed over the network
then use them. There may be some admins that will not be able to do that
though, so. . .

You may want to kerberise it. It's very easy: you don't need to create
anything new. Just use an object you already have. You always have a
machine key for example. On the DC, you'll have to extract its keytab
but otherwise, away you go:

 k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K
360 -k /tmp/nslcd.tkt &

If you need to be up more than 10 hours a day and if you don't like
k5start, cron it.

The clients already have the keytab so nothing else to do.

More information about the samba mailing list