[Samba] Authentification against kerberos / sssd

walk2sun walk2sun at arcor.de
Tue Dec 11 17:19:01 UTC 2018


Am 11.12.18 um 15:36 schrieb tseegerkrb via samba:
> On 11.12.18 15:23, Rowland Penny via samba wrote:
>> On Tue, 11 Dec 2018 15:09:39 +0100
>> tseegerkrb via samba <samba at lists.samba.org> wrote:
>>
>>> Hello list,
>>>
>>> a quick question. Right now I have a combination of MIT Kerberos,
>>> OpenLDAP and SSSD for authenticating my users. Is there a way that
>>> Samba can use this setup to perform user authentication. I only want
>>> to access the shares of the Samba server from about 8 Windows
>>> computers. I am aware that I cannot make an Active Directory out of
>>> this.

The samba 3 Code supports openldap as store for users, machines, groups 
and other things you need.


>>>
>>> At the moment I have stored the users in a local passdb, which works
>>> but is very unpleasant.

This is really bad. I asume that you mean your userdb for samba are 
local tdb files.

Switch to ldapsam.

>>>
>> That is why Microsoft came up with domains ;-)
>>
>> If you look at Active Directory, it is basically composed of kerberos,
>> ldap and dns., so you can replace your kerberos and ldap servers with a
>> Samba AD DC, this also come with winbind which will replace sssd.
>>
>> There is just one possible fly in the ointment, you mention MIT & sssd,
>> is this using a red-hat OS ?
>> If it is, you cannot use the OS packages to create an AD DC, or if you
>> can (Fedora), it shouldn't be used in production.
>>
>> Rowland
>>
>>
> Hello Rowland,
>
> thanks for your answer but I don't want to replace my kerberos & ldap
> setup with an AD server. Basically I only want to control access to the
> handful of Samba shares.

Your users should auth against openldap with exop control enabled. 
Openldap should handover the auth to kerberos. And then install 
slapo-smbk5pwd on your openldap server. This overlay will sync the samba 
passwords.


Hint: I have never used sssd and i am sure i will never do. For this 
classic samba setup i prefer nslcd as pam and nss provider. Winbind will 
also do.

If you are interesting i such a setup i am willing to help.

>
> Thorsten
>
--

Harry




More information about the samba mailing list