[Samba] Authentification against kerberos / sssd
walk2sun at arcor.de
Tue Dec 11 17:19:01 UTC 2018
Am 11.12.18 um 15:36 schrieb tseegerkrb via samba:
> On 11.12.18 15:23, Rowland Penny via samba wrote:
>> On Tue, 11 Dec 2018 15:09:39 +0100
>> tseegerkrb via samba <samba at lists.samba.org> wrote:
>>> Hello list,
>>> a quick question. Right now I have a combination of MIT Kerberos,
>>> OpenLDAP and SSSD for authenticating my users. Is there a way that
>>> Samba can use this setup to perform user authentication. I only want
>>> to access the shares of the Samba server from about 8 Windows
>>> computers. I am aware that I cannot make an Active Directory out of
The samba 3 Code supports openldap as store for users, machines, groups
and other things you need.
>>> At the moment I have stored the users in a local passdb, which works
>>> but is very unpleasant.
This is really bad. I asume that you mean your userdb for samba are
local tdb files.
Switch to ldapsam.
>> That is why Microsoft came up with domains ;-)
>> If you look at Active Directory, it is basically composed of kerberos,
>> ldap and dns., so you can replace your kerberos and ldap servers with a
>> Samba AD DC, this also come with winbind which will replace sssd.
>> There is just one possible fly in the ointment, you mention MIT & sssd,
>> is this using a red-hat OS ?
>> If it is, you cannot use the OS packages to create an AD DC, or if you
>> can (Fedora), it shouldn't be used in production.
> Hello Rowland,
> thanks for your answer but I don't want to replace my kerberos & ldap
> setup with an AD server. Basically I only want to control access to the
> handful of Samba shares.
Your users should auth against openldap with exop control enabled.
Openldap should handover the auth to kerberos. And then install
slapo-smbk5pwd on your openldap server. This overlay will sync the samba
Hint: I have never used sssd and i am sure i will never do. For this
classic samba setup i prefer nslcd as pam and nss provider. Winbind will
If you are interesting i such a setup i am willing to help.
More information about the samba