Samba authentication to Kerberos via OpenLDAP, third and last try

Sean Myers smyers at
Fri Apr 4 11:44:09 EDT 2008

The discussions of the usefulness or wisdom of using LDAP as your authentication
front-end aside, what you're looking for is SASL authd support in OpenLDAP.

Most of this is from memory and sparse on info, but at the very least it will
tell you that this is very likely possible as I understand your needs, and that
solutions do exist.

Assuming you've built OpenLDAP with the --with-spasswd option, and that you've
got SASL installed with the GSSAPI plugin, you want to make sure you can auth to
Kerberos through the saslauthd server. Once that's done, setting a user's
password to {SASL}kerberosprincipal, will effectively have OpenLDAP check the
password via SASL. For example, my password in LDAP right now is

I have not used this mechanism in conjunction with Samba, which is why I say
that this is very likely possible, and not definitely possible.

This is all OpenLDAP and SASL, though, not Kerberos. As such, I will gladly go
into more detail off list, and help where I can.

Sean Myers
System Administrator
American Research Institute
(919) 228-4961

Wes Modes wrote:
> I've asked a similar question on this list, the OpenLDAP list, and on 
> the Samba list.  And while this question has the least to do with 
> Kerberos, I received the more helpful answers here.  As I come to 
> understand the software I'm dealing with, I can chisel down to the heart 
> of what I need to know.   I ask you to consider what I'm asking remotely 
> possible, and then seek a solution.  Consider this a challenge or a riddle.
>    1. I have an OpenLDAP directory server that I am using for user and
>       group information.  I would like to use it also to authenticate
>       against.  This way, whatever I hook up to it (Samba, webstuff, PHP
>       apps, CMS) can both authenticate and authorize from one source. 
>    2. There is a separate Kerberos server that has users' campus-wide
>       passwords.  I have access to it, but do not control it.
>    3. I have a separate linux file server running Samba.  PCs and Macs
>       will connect to it. 
> I know I can do Kerberos authentication directly from Samba, but I'd 
> prefer OpenLDAP do the Kerberos connection.  Here's why:  a) I can solve 
> the problem once, rather than have to work out BOTH LDAP and Kerberos 
> connections for every new authenticated service I add, and b) LDAP hooks 
> are more common than Kerberos hooks for other services for which I will 
> eventually want authentication and authroization.  And yes, I know it 
> breaks the Kerberos model.
> The question and the challenge:  Any leads on how I might convince Samba 
> to pass the input password on to OpenLDAP so that OpenLDAP can 
> authenticate it against Kerberos?
> Wes

More information about the Kerberos mailing list