Samba authentication to Kerberos via OpenLDAP, third and last try
wmodes at ucsc.edu
Thu Apr 3 16:44:05 EDT 2008
I've asked a similar question on this list, the OpenLDAP list, and on
the Samba list. And while this question has the least to do with
Kerberos, I received the more helpful answers here. As I come to
understand the software I'm dealing with, I can chisel down to the heart
of what I need to know. I ask you to consider what I'm asking remotely
possible, and then seek a solution. Consider this a challenge or a riddle.
1. I have an OpenLDAP directory server that I am using for user and
group information. I would like to use it also to authenticate
against. This way, whatever I hook up to it (Samba, webstuff, PHP
apps, CMS) can both authenticate and authorize from one source.
2. There is a separate Kerberos server that has users' campus-wide
passwords. I have access to it, but do not control it.
3. I have a separate linux file server running Samba. PCs and Macs
will connect to it.
I know I can do Kerberos authentication directly from Samba, but I'd
prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve
the problem once, rather than have to work out BOTH LDAP and Kerberos
connections for every new authenticated service I add, and b) LDAP hooks
are more common than Kerberos hooks for other services for which I will
eventually want authentication and authroization. And yes, I know it
breaks the Kerberos model.
The question and the challenge: Any leads on how I might convince Samba
to pass the input password on to OpenLDAP so that OpenLDAP can
authenticate it against Kerberos?
Server Administrator & Programmer Analyst
Computing & Network Services
Information and Technology Services
More information about the Kerberos