[Samba] Authentification against kerberos / sssd
walk2sun
walk2sun at arcor.de
Tue Dec 11 17:19:01 UTC 2018
Am 11.12.18 um 15:36 schrieb tseegerkrb via samba:
> On 11.12.18 15:23, Rowland Penny via samba wrote:
>> On Tue, 11 Dec 2018 15:09:39 +0100
>> tseegerkrb via samba <samba at lists.samba.org> wrote:
>>
>>> Hello list,
>>>
>>> a quick question. Right now I have a combination of MIT Kerberos,
>>> OpenLDAP and SSSD for authenticating my users. Is there a way that
>>> Samba can use this setup to perform user authentication. I only want
>>> to access the shares of the Samba server from about 8 Windows
>>> computers. I am aware that I cannot make an Active Directory out of
>>> this.
The samba 3 Code supports openldap as store for users, machines, groups
and other things you need.
>>>
>>> At the moment I have stored the users in a local passdb, which works
>>> but is very unpleasant.
This is really bad. I asume that you mean your userdb for samba are
local tdb files.
Switch to ldapsam.
>>>
>> That is why Microsoft came up with domains ;-)
>>
>> If you look at Active Directory, it is basically composed of kerberos,
>> ldap and dns., so you can replace your kerberos and ldap servers with a
>> Samba AD DC, this also come with winbind which will replace sssd.
>>
>> There is just one possible fly in the ointment, you mention MIT & sssd,
>> is this using a red-hat OS ?
>> If it is, you cannot use the OS packages to create an AD DC, or if you
>> can (Fedora), it shouldn't be used in production.
>>
>> Rowland
>>
>>
> Hello Rowland,
>
> thanks for your answer but I don't want to replace my kerberos & ldap
> setup with an AD server. Basically I only want to control access to the
> handful of Samba shares.
Your users should auth against openldap with exop control enabled.
Openldap should handover the auth to kerberos. And then install
slapo-smbk5pwd on your openldap server. This overlay will sync the samba
passwords.
Hint: I have never used sssd and i am sure i will never do. For this
classic samba setup i prefer nslcd as pam and nss provider. Winbind will
also do.
If you are interesting i such a setup i am willing to help.
>
> Thorsten
>
--
Harry
More information about the samba
mailing list