Samba authentication to Kerberos via OpenLDAP, third and last try

Wes Modes wmodes at
Fri Apr 4 14:33:38 EDT 2008

Thanks, Sean.  I've set up the OpenLDAP to Kerberos connection using 
Saslauthd and the {SASL}username at MYREALM.EDU.  That part at least is 
indeed possible. 

I've also set up an authentication connection between Samba and 
OpenLDAP, via smbldap-tools.  It works by adding new fields to the 
OpenLDAP schema specific to the needs of samba.  Then samba uses those 
OpenLDAP fields as a hashed password repository. 

The challenge is that these are two methods allow Samba to authenticate 
via OpenLDAP and allow OpenLDAP to authenticate via Kerberos, they are 
really intended for different purposes.  In method one, samba is 
authenticating by comparing the passwords its getting to the OpenLDAP 
hashed repository.  In method two, OpenLDAP is using saslauthd to 
authenticate against a Kerberos realm.  They are two different 
mechanisms with two different security models.

I know now that I can't just plug them in end-to-end and expect them to 
work.  But I was hoping that experts on this and the OpenLDAP list would 
suggest creative solutions.  I'm open to creative hacks and use contrary 
to labeling. 

For instance, when Samba goes to retrieve the hashed passwords stored in 
the OpenLDAP repository, to get access tot he OpenLDAP db, it 
authenticates via a rootdn with a password stored in a Samba db.   On 
the OpenLDAP side, I imagine slapd can be configured to auth against 
Kerberos.  Could I somehow pass the requesting Samba user and password 
(or a hash) as the rootdn and rootpw for authentication?

I know this has drifted pretty far a field from a Kerberos question.  
But this list has been considerably more helpful than the lists 
purportedly dealing with Samba and OpenLDAP.


Sean Myers wrote:
> The discussions of the usefulness or wisdom of using LDAP as your authentication
> front-end aside, what you're looking for is SASL authd support in OpenLDAP.
> Most of this is from memory and sparse on info, but at the very least it will
> tell you that this is very likely possible as I understand your needs, and that
> solutions do exist.
> Assuming you've built OpenLDAP with the --with-spasswd option, and that you've
> got SASL installed with the GSSAPI plugin, you want to make sure you can auth to
> Kerberos through the saslauthd server. Once that's done, setting a user's
> password to {SASL}kerberosprincipal, will effectively have OpenLDAP check the
> password via SASL. For example, my password in LDAP right now is
> I have not used this mechanism in conjunction with Samba, which is why I say
> that this is very likely possible, and not definitely possible.
> This is all OpenLDAP and SASL, though, not Kerberos. As such, I will gladly go
> into more detail off list, and help where I can.
> --
> Sean Myers
> System Administrator
> American Research Institute
> (919) 228-4961
> Wes Modes wrote:
>> I've asked a similar question on this list, the OpenLDAP list, and on 
>> the Samba list.  And while this question has the least to do with 
>> Kerberos, I received the more helpful answers here.  As I come to 
>> understand the software I'm dealing with, I can chisel down to the heart 
>> of what I need to know.   I ask you to consider what I'm asking remotely 
>> possible, and then seek a solution.  Consider this a challenge or a riddle.
>>    1. I have an OpenLDAP directory server that I am using for user and
>>       group information.  I would like to use it also to authenticate
>>       against.  This way, whatever I hook up to it (Samba, webstuff, PHP
>>       apps, CMS) can both authenticate and authorize from one source. 
>>    2. There is a separate Kerberos server that has users' campus-wide
>>       passwords.  I have access to it, but do not control it.
>>    3. I have a separate linux file server running Samba.  PCs and Macs
>>       will connect to it. 
>> I know I can do Kerberos authentication directly from Samba, but I'd 
>> prefer OpenLDAP do the Kerberos connection.  Here's why:  a) I can solve 
>> the problem once, rather than have to work out BOTH LDAP and Kerberos 
>> connections for every new authenticated service I add, and b) LDAP hooks 
>> are more common than Kerberos hooks for other services for which I will 
>> eventually want authentication and authroization.  And yes, I know it 
>> breaks the Kerberos model.
>> The question and the challenge:  Any leads on how I might convince Samba 
>> to pass the input password on to OpenLDAP so that OpenLDAP can 
>> authenticate it against Kerberos?
>> Wes
> ________________________________________________
> Kerberos mailing list           Kerberos at


Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services

More information about the Kerberos mailing list