# Samba via ldap/kerberos

## Jesore

Hi,

I have a working config of unix accounts stored in a ldap (openldap 2.1) directory. The passwords are stored in a heimdal kerberos database via  

```
userPassword: {KERBEROS}principal@REALM
```

As our network will soon be moving to samba3 - mostly win clients there, the ldap setup was mainly for my personal enjoyment - I thought why not move all the accounts over to ldap.

My questions are the following:

1. The the samba option "pam password change" is used to change the unix password along with the win password. Will that also work via my ldap/kerberos setup?

2. Can I also store the ntPassword in my kerberos? It wouldn't make much sense if I put the unix passwords in kerberos and leave the win ones out. Then I can throw out kerberos altogether as I see it - or am I wrong?

Maybe someone knows a little about that matter and is willing to tell.

Jesore

----------

## HogRider

Perhaps this will help...

Approx. 4 months ago I set up a ldap-based samba 3 environment with kerb auth.  This did not include MS based server integration.  It did include Win2K clients.

Client performs Kerb auth, and accesses samba with those cred's.

Win2K clients can be configured to use K5 during initial login.

This was based upon stock MIT K5, not heimdal.  The kerb auth was direct, not ldap hosted.

Good Luck.

----------

## Jesore

Thanks,

but how exactly did you get samba to connect the userdata from ldap with the kerberos principal if auth goes completely over kerb?

Btw, heimdal is very much like MIT. I read a little about MIT and as far as I know there should be no problem understanding and transferring your info to heimdal. 

My setup is very similar - only unix servers (one Mac OSX, rest linux). 

Jesore

----------

## dogghaus

Sorry jesore, to interject with a question, but hogrider, how did you get samba to authenticate to kerberos?  Do you have any links to some docs or howtos? 

I don't need to store the share information in ldap, I just want to store the passwords in a krb5 database.  I've tried using PAM, but no luck.  Then again, at the time I think something shiny went by, and completely grabbed my attention.  That was about a year ago, and I decided to wait for samba3.

Any input would be appreciated.

----------

## HogRider

I'll lookup my notes.  This was back in ~Aug, working with beta-3 code, 2 months before I got laid off.

Backed up my notes & work before turning in the laptop, but I'll have to sift through the archives.

dogghaus This should be straightforward.  Get your TGT, and connect.  BTW, make sure you have K5 installed before compiling samba, & check your 'USE' statements.  I had to do mine manually, but expect portage should pick it up by now.  Compile samba with the proper switches and have the client request kerb auth.

I should have answers in a few days.

----------

## Jesore

I'm in no great hurry - a test setup with samba3 + ldap already stands (without kerberos) and it would be good to finish this whole thing around the beginning of February. The extras are as I said for my pure enjoyment. On ther other hand - the more I do the more I will have to document  :Shocked:   :Confused: 

Explanation: The whole project will be included into teaching documents for intranet services. Wish me luck!

Thanks for looking the data up.

Jesore

----------

## dogghaus

Hmmm...  I don't know about it being straightforward, I've been doing google searches on this for over two years and have not found a viable solution.  Having a client request a tgt from a krb5 server, okay, I've run krb5 realms with win2k clients and samba is the odd man out.  I've had to use afs as a file sharing mechanism; it's much more advanced, but it's a lot more work that is not necessary for a lan.  Just having a client get a tgt won't do it; somehow samba has to know it is capable of receiving or acknowledging tickets, krb5 has to be aware that the samba server or client is allowed to have a ticket (easy part), and the clients may have to have keytabs present to authenticate (which I would rather not do; some proprietary lab equipment still use nt4 or win98).

Actually, all I need to know is what you configured in your smb.conf file to look for a krb5 server, and I can do the rest from there.  If you could do that you would be a champion in the eyes of at least forty samba users (well, if I tell them they are using samba; okay, if I tell them "mapped drives" are not actually on their computers).

----------

## Jesore

 *dogghaus wrote:*   

> If you could do that you would be a champion in the eyes of at least forty samba users (well, if I tell them they are using samba; okay, if I tell them "mapped drives" are not actually on their computers).

 

At my company we tought them the hard way - after every course the windows clients get deleted and reinstalled (via ssh/dd - easy as pie). So if a person takes more than one class in the next one he/she will sit at a new PC. We simply tell them to save all important work on the mapped drive - otherwise they'll regret it  :Smile: 

Jesore

----------

## Jesore

Any news on your docu HogRider?

----------

## HogRider

Still trying to gather the pieces.  Unfortunately, this was my last project before the layoff, so things were rapidly dumped before they took back the laptop.

What I may do is recreate the functional enviroment (got plenty of spare time), and post the key processes.  Shouldn't take more than a few days that way.

BTW, Samba authenticates via PAM.  Kerb auth to samba is done by first configuring pam properly, then, using the built-in Kerb client in W2K (or the '-k' switch in the samba client) to present cred's.  The add-on (MIT) k5 client will not work (Windows stores the tgt's in an alternate location, and integrates them into the auth mech).

I'll work out the details shortly, sorry for the delay (kids & holidays don't make for a productive enviroment)

----------

## Jesore

Take your time - this is very interesting for me and I'm willing to wait quite a while for it. Besides this is voluntary, I'm glad you're willing to help at all. 

What I still don't get is how you associate the ticket with the user database that samba looks up (for home drives etc.). That is the point I'm currently hanging. Where you store this data - LDAP would still be my first choice for this - should be irrelevant. 

Well I'm looking forward to test your setup.

Jesore

----------

## bubad

Wow! 2 years?  :Shocked:  And I thought googleing for 3 days was bad!

I noticed the lack of documentation on this matter too, I'm trying to set up a fully centralized network for both win and *nix boxes, using Kerberos to authenticate, LDAP to store user accounts, and afs for file sharing and samba as PDC.

HogRider: Did you set up something like that without using LDAP to store users? How? NIS/YP?  :Confused: 

----------

## utabintarbo

Any progress on how to make this happen? This has become #1 on my to do list!

Bob

----------

## Jesore

Hmmm - I have no news on that topic too. I dumped the kerberos part for my teachings anyway - far too complex for mostly beginners. 

Jesore

----------

## arkane

I'm definately interested in this also.  Samba authentication via LDAP.

We're using the 2.x series right now on Redhat 8, about 42 sites.  Everytime someone needs to use a system at a site, I need to add the user to the local samba "server".  (the site samba servers authenticate with the PDC currently here at home office)

What I'm looking to do is use our LDAP server as the auth point, instead of the PDC.  We have an LDAP server that holds all of the login data, and credentials about the user.  I've successfully gotten both Linux and Windows to authenticate against it.  It's used for our in-house application, to integrate Windows logins with the application login.  The LDAP server is the de facto standard now here, with the PDC having the user info pushed to it instead of Windows being a real "primary".

Anyway, as I was saying, what I'm looking to do is very close to the subject of this thread: whenever a user hits a share on the remote samba server, it queries the LDAP server for auth privs instead of the smbpasswd or the PDC.  I'd *really* like to get it to the point that I don't even need a Unix account for that individual on the actual machine, but winbind hasn't been an easy setup.

Does anyone know of any good documents that describe this type of thing?

I've been scouring the net all day.  This is the second phase out of 4 phases of a Windows-less server room.

----------

## IEdirtbiker

I have been tinkering with trying to get this to work as well.   I have come across some web sites that cover LDAPv3 (kerberos & LDAP) and SAMBA/LDAP  the links are here:

http://www.bayour.com/LDAPv3-HOWTO.html

http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html

Hope this can help any of you that are interested, and if you can get it to work, I'd sure like some pointers... I can get Kerberos to work, and can get LDAP to work... but have not been able to get the LDAP access to authenticate from kerberos.

Dennis

----------

## Jesore

That's exactly the point where we all fail. Kerberos and LDAP are no problem. Samba authenticating at a Kerberos is easy, but Samba authing at Kerberos and getting all other info out of the LDAP is the hard part. 

The links are nice, I had already read through them before starting that thread, but I'm afraid they don't cover our exact problem. 

Jesore

----------

