Samba authentication to Kerberos via OpenLDAP, third and last try

Wes Modes wmodes at
Thu Apr 3 16:44:05 EDT 2008

I've asked a similar question on this list, the OpenLDAP list, and on 
the Samba list.  And while this question has the least to do with 
Kerberos, I received the more helpful answers here.  As I come to 
understand the software I'm dealing with, I can chisel down to the heart 
of what I need to know.   I ask you to consider what I'm asking remotely 
possible, and then seek a solution.  Consider this a challenge or a riddle.

   1. I have an OpenLDAP directory server that I am using for user and
      group information.  I would like to use it also to authenticate
      against.  This way, whatever I hook up to it (Samba, webstuff, PHP
      apps, CMS) can both authenticate and authorize from one source. 
   2. There is a separate Kerberos server that has users' campus-wide
      passwords.  I have access to it, but do not control it.
   3. I have a separate linux file server running Samba.  PCs and Macs
      will connect to it. 

I know I can do Kerberos authentication directly from Samba, but I'd 
prefer OpenLDAP do the Kerberos connection.  Here's why:  a) I can solve 
the problem once, rather than have to work out BOTH LDAP and Kerberos 
connections for every new authenticated service I add, and b) LDAP hooks 
are more common than Kerberos hooks for other services for which I will 
eventually want authentication and authroization.  And yes, I know it 
breaks the Kerberos model.

The question and the challenge:  Any leads on how I might convince Samba 
to pass the input password on to OpenLDAP so that OpenLDAP can 
authenticate it against Kerberos?



Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services

More information about the Kerberos mailing list