[Samba] Samba, Kerberos and LDAP Question - Samba

This is a discussion on [Samba] Samba, Kerberos and LDAP Question - Samba ; Hello Everyone, I have a question regarding Samba, Kerberos, and LDAP. Specifically, I would like to have users authenticate through Samba using the existing information stored in Kerberos and LDAP. According to the documents I have read, this is similar ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] Samba, Kerberos and LDAP Question

  1. [Samba] Samba, Kerberos and LDAP Question

    Hello Everyone,

    I have a question regarding Samba, Kerberos, and LDAP. Specifically, I would
    like to have users authenticate through Samba using the existing information
    stored in Kerberos and LDAP. According to the documents I have read, this is
    similar to the mechanism used by Microsoft's Active Directory, which Samba
    supports. However, I am completely confused on this issue: can MIT Kerberos
    and OpenLDAP be used as a backend to Samba? I have no Windows servers on the
    network, and attempts to authenticate against Kerberos have left all of the
    smb tools responding "cannot find DC for domain"

    If necessary, I will post the configuration information, but at this point,
    I only wish to find out if such a set up is currently possible. (I appolize
    if this question is common, but I could not find any clear answer after 72
    hours of searching).

    Sincerely,
    Alex
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Samba, Kerberos and LDAP Question

    How will the users be authenticating? If you're going to be adding the
    machines to an NT domain and you want users to authenticate against
    that at login you will need to store all the samba account information
    including the nt password hash in there. So although you can still
    store your user info in LDAP, Kerberos won't be used for
    authentication.

    If you don't care about domain stuff, then you can put the samba
    server into ADS mode and the Windows users can use their Kerberos
    tickets to get access. I'm not sure if this will work with MIT
    Kerberos on the client or if Microsoft Kerberos is required. The
    biggest pain with this is then managing local users on all the
    desktops whereas they are one in the same with an NT or AD domain. You
    might be able to use some pGina or scripting magic to help compensate
    for this last part.

    As a last thought, I seem to remember that you can have samba in user
    mode, set the domain, and it will still accept Kerberos credentials. I
    have not done this however.

    Hope this helps a bit,
    --Ryan

    On Tue, Jun 24, 2008 at 2:31 PM, Alex wrote:
    > Hello Everyone,
    >
    > I have a question regarding Samba, Kerberos, and LDAP. Specifically, I would
    > like to have users authenticate through Samba using the existing information
    > stored in Kerberos and LDAP. According to the documents I have read, this is
    > similar to the mechanism used by Microsoft's Active Directory, which Samba
    > supports. However, I am completely confused on this issue: can MIT Kerberos
    > and OpenLDAP be used as a backend to Samba? I have no Windows servers on the
    > network, and attempts to authenticate against Kerberos have left all of the
    > smb tools responding "cannot find DC for domain"
    >
    > If necessary, I will post the configuration information, but at this point,
    > I only wish to find out if such a set up is currently possible. (I appolize
    > if this question is common, but I could not find any clear answer after 72
    > hours of searching).
    >
    > Sincerely,
    > Alex
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Samba, Kerberos and LDAP Question

    Hello again,

    Ideally, I would have the users authenticate with the existing log ins in
    LDAP/Kerberos. The users already have access to their own machines, but need
    a mechanism to be able to access the shared data that they already have on
    Linux (these are roaming laptops, profiles and network login and unneeded).

    In case I am not clear, I do not need Samba to be a domain controller. In
    fact, I don't need a domain. I just want to use the existing user
    information available in LDAP and Kerberos, and expose it to Samba for
    minimal administrative overhead (i.e., I don't want to maintain an
    smbpasswd).

    Thank you in advance,
    Alex

    On Tue, Jun 24, 2008 at 5:47 PM, Ryan Bair wrote:

    > How will the users be authenticating? If you're going to be adding the
    > machines to an NT domain and you want users to authenticate against
    > that at login you will need to store all the samba account information
    > including the nt password hash in there. So although you can still
    > store your user info in LDAP, Kerberos won't be used for
    > authentication.
    >
    > If you don't care about domain stuff, then you can put the samba
    > server into ADS mode and the Windows users can use their Kerberos
    > tickets to get access. I'm not sure if this will work with MIT
    > Kerberos on the client or if Microsoft Kerberos is required. The
    > biggest pain with this is then managing local users on all the
    > desktops whereas they are one in the same with an NT or AD domain. You
    > might be able to use some pGina or scripting magic to help compensate
    > for this last part.
    >
    > As a last thought, I seem to remember that you can have samba in user
    > mode, set the domain, and it will still accept Kerberos credentials. I
    > have not done this however.
    >
    > Hope this helps a bit,
    > --Ryan
    >
    > On Tue, Jun 24, 2008 at 2:31 PM, Alex wrote:
    > > Hello Everyone,
    > >
    > > I have a question regarding Samba, Kerberos, and LDAP. Specifically, I

    > would
    > > like to have users authenticate through Samba using the existing

    > information
    > > stored in Kerberos and LDAP. According to the documents I have read, this

    > is
    > > similar to the mechanism used by Microsoft's Active Directory, which

    > Samba
    > > supports. However, I am completely confused on this issue: can MIT

    > Kerberos
    > > and OpenLDAP be used as a backend to Samba? I have no Windows servers on

    > the
    > > network, and attempts to authenticate against Kerberos have left all of

    > the
    > > smb tools responding "cannot find DC for domain"
    > >
    > > If necessary, I will post the configuration information, but at this

    > point,
    > > I only wish to find out if such a set up is currently possible. (I

    > appolize
    > > if this question is common, but I could not find any clear answer after

    > 72
    > > hours of searching).
    > >
    > > Sincerely,
    > > Alex
    > > --
    > > To unsubscribe from this list go to the following URL and read the
    > > instructions: https://lists.samba.org/mailman/listinfo/samba
    > >

    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread