How will the users be authenticating? If you're going to be adding the
machines to an NT domain and you want users to authenticate against
that at login you will need to store all the samba account information
including the nt password hash in there. So although you can still
store your user info in LDAP, Kerberos won't be used for
authentication.

If you don't care about domain stuff, then you can put the samba
server into ADS mode and the Windows users can use their Kerberos
tickets to get access. I'm not sure if this will work with MIT
Kerberos on the client or if Microsoft Kerberos is required. The
biggest pain with this is then managing local users on all the
desktops whereas they are one in the same with an NT or AD domain. You
might be able to use some pGina or scripting magic to help compensate
for this last part.

As a last thought, I seem to remember that you can have samba in user
mode, set the domain, and it will still accept Kerberos credentials. I
have not done this however.

Hope this helps a bit,
--Ryan

On Tue, Jun 24, 2008 at 2:31 PM, Alex wrote:
> Hello Everyone,
>
> I have a question regarding Samba, Kerberos, and LDAP. Specifically, I would
> like to have users authenticate through Samba using the existing information
> stored in Kerberos and LDAP. According to the documents I have read, this is
> similar to the mechanism used by Microsoft's Active Directory, which Samba
> supports. However, I am completely confused on this issue: can MIT Kerberos
> and OpenLDAP be used as a backend to Samba? I have no Windows servers on the
> network, and attempts to authenticate against Kerberos have left all of the
> smb tools responding "cannot find DC for domain"
>
> If necessary, I will post the configuration information, but at this point,
> I only wish to find out if such a set up is currently possible. (I appolize
> if this question is common, but I could not find any clear answer after 72
> hours of searching).
>
> Sincerely,
> Alex
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hello again,

Ideally, I would have the users authenticate with the existing log ins in
LDAP/Kerberos. The users already have access to their own machines, but need
a mechanism to be able to access the shared data that they already have on
Linux (these are roaming laptops, profiles and network login and unneeded).

In case I am not clear, I do not need Samba to be a domain controller. In
fact, I don't need a domain. I just want to use the existing user
information available in LDAP and Kerberos, and expose it to Samba for
minimal administrative overhead (i.e., I don't want to maintain an
smbpasswd).

Thank you in advance,
Alex

On Tue, Jun 24, 2008 at 5:47 PM, Ryan Bair wrote:

> How will the users be authenticating? If you're going to be adding the
> machines to an NT domain and you want users to authenticate against
> that at login you will need to store all the samba account information
> including the nt password hash in there. So although you can still
> store your user info in LDAP, Kerberos won't be used for
> authentication.
>
> If you don't care about domain stuff, then you can put the samba
> server into ADS mode and the Windows users can use their Kerberos
> tickets to get access. I'm not sure if this will work with MIT
> Kerberos on the client or if Microsoft Kerberos is required. The
> biggest pain with this is then managing local users on all the
> desktops whereas they are one in the same with an NT or AD domain. You
> might be able to use some pGina or scripting magic to help compensate
> for this last part.
>
> As a last thought, I seem to remember that you can have samba in user
> mode, set the domain, and it will still accept Kerberos credentials. I
> have not done this however.
>
> Hope this helps a bit,
> --Ryan
>
> On Tue, Jun 24, 2008 at 2:31 PM, Alex wrote:
> > Hello Everyone,
> >
> > I have a question regarding Samba, Kerberos, and LDAP. Specifically, I
> would
> > like to have users authenticate through Samba using the existing
> information
> > stored in Kerberos and LDAP. According to the documents I have read, this
> is
> > similar to the mechanism used by Microsoft's Active Directory, which
> Samba
> > supports. However, I am completely confused on this issue: can MIT
> Kerberos
> > and OpenLDAP be used as a backend to Samba? I have no Windows servers on
> the
> > network, and attempts to authenticate against Kerberos have left all of
> the
> > smb tools responding "cannot find DC for domain"
> >
> > If necessary, I will post the configuration information, but at this
> point,
> > I only wish to find out if such a set up is currently possible. (I
> appolize
> > if this question is common, but I could not find any clear answer after
> 72
> > hours of searching).
> >
> > Sincerely,
> > Alex
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba