[Samba] samba4, with existing krb5 and ldap

Andrew Bartlett abartlet at samba.org
Fri Nov 1 23:40:42 MDT 2013 

On Fri, 2013-11-01 at 10:28 +0000, lux-integ wrote:
> Greetings,
> 
> I bave  a linux-running-computer  acting as a KDC.  It has :-  
> OS--blfs linux gcc-4.8.1 linux-3.10.17, krb5-1.11.2, openldap-2.4.35, cyrus-
> sasl-2.4.26,bind-9.9.4,ntp4.2.7
> 
> my /etc/krb5.conf has  :-
> 
> [dbmodules]
>   openldap_ldapconf = {
>       db_library = kldap
>       ldap_kerberos_container_dn = cn=krbcontainer,dc=somewhere,dc=com
>       ldap_kdc_dn = "cn=kdc-service,dc=somewhere,dc=com"
> 	  # this object needs to have read rights on
> 	  # the realm container and principal subtrees
>       ldap_kadmind_dn = "cn=adm-service,dc=somewhere,dc=com"
> 	  # this object needs to have read and write rights on
> 	  # the realm container and principal subtrees
>       ldap_service_password_file = /etc/krb5/service.keyfile
>       ldap_servers = ldaps://machine1.somewhere.com 
> ldaps://machine2.somewhere.com
>       ldap_conns_per_server = 5
> }
> 
> in otherwords ldap uses krb5 for authentication
> (AND it  took me ages to work out and test the krb5.conf and have ldap and 
> cyrus and bind all working together )

Indeed, and it is the total pain that this causes that was one of the
many reasons behind producing a integrated service, rather than a set of
components to be configured. 

> NOW I want to use the machine as a domain controller and install samba4 
> thereon.  I learnt that samba4 has a bundled ldap  and cant use the ldap 
> already installed.
> 
> The question is could I still use the /etc/krb5.conf (excerpt thereof above) 
> as is  or would there be a conflict with  the bundled ldap in samba4

No.

> OR is it possible to configure samba4 to use the ldap already installed?

No.

> OR

Just use:

[libdefaults]
        default_realm = SAMBA.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

(and typically nothing else)

> OR
> 
> Advice /suggestions   will be greately appreciated

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list