[Samba] Authentification against kerberos / sssd

Rowland Penny rpenny at samba.org
Tue Dec 11 20:00:24 UTC 2018


On Tue, 11 Dec 2018 20:41:46 +0100
tseegerkrb via samba <samba at lists.samba.org> wrote:

> On 11.12.18 18:19, walk2sun via samba wrote:
> > Am 11.12.18 um 15:36 schrieb tseegerkrb via samba:
> >> On 11.12.18 15:23, Rowland Penny via samba wrote:
> >>> On Tue, 11 Dec 2018 15:09:39 +0100
> >>> tseegerkrb via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Hello list,
> >>>>
> >>>> a quick question. Right now I have a combination of MIT Kerberos,
> >>>> OpenLDAP and SSSD for authenticating my users. Is there a way
> >>>> that Samba can use this setup to perform user authentication. I
> >>>> only want to access the shares of the Samba server from about 8
> >>>> Windows computers. I am aware that I cannot make an Active
> >>>> Directory out of this.
> > 
> > The samba 3 Code supports openldap as store for users, machines,
> > groups and other things you need.
> > 
> > 
> i think that's not possible, because i use sasl and the userPassword
> attribute contains something like "{SASL}username at KERBEROS.REALM".

That doesn't look like a password, it looks more like a UPN

> >>>>
> >>>> At the moment I have stored the users in a local passdb, which
> >>>> works but is very unpleasant.
> > 
> > This is really bad. I asume that you mean your userdb for samba are
> > local tdb files.
> yes
> > 
> > Switch to ldapsam.
> > 
> >>>>
> >>> That is why Microsoft came up with domains ;-)
> >>>
> >>> If you look at Active Directory, it is basically composed of
> >>> kerberos, ldap and dns., so you can replace your kerberos and
> >>> ldap servers with a Samba AD DC, this also come with winbind
> >>> which will replace sssd.
> >>>
> >>> There is just one possible fly in the ointment, you mention MIT &
> >>> sssd, is this using a red-hat OS ?
> >>> If it is, you cannot use the OS packages to create an AD DC, or
> >>> if you can (Fedora), it shouldn't be used in production.
> >>>
> >>> Rowland
> >>>
> >>>
> >> Hello Rowland,
> >>
> >> thanks for your answer but I don't want to replace my kerberos &
> >> ldap setup with an AD server. Basically I only want to control
> >> access to the handful of Samba shares.
> > 
> > Your users should auth against openldap with exop control enabled.
> > Openldap should handover the auth to kerberos. And then install
> > slapo-smbk5pwd on your openldap server. This overlay will sync the
> > samba passwords.
> slapo-smbk5pwd is for heimdal kerberos server only. i use the MIT
> kerberos server. There was a fork for MIT kerberos but i believe the
> project is dead.
> > 
> > 
> > Hint: I have never used sssd and i am sure i will never do. For this
> > classic samba setup i prefer nslcd as pam and nss provider. Winbind
> > will also do.
> everything expect samba is working very nice with sssd.

sssd isn't a Samba project.

> > 
> > If you are interesting i such a setup i am willing to help.
> > 
> >>
> >> Thorsten
> >>
> > -- 
> > 
> > Harry
> > 
> Is it possible to create trust between a samba4 AD and a MIT kerberos
> realm?
> 

What you are asking about has very little to do with Samba, I suggest
you ask your questions on a more relevant mailing list or forum, such as
your OS's

Rowland





More information about the samba mailing list