-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
José Ildefonso Camargo Tolosa írta: | Hi! | | I have been reading for about two weeks (maybe I'm reading on the wrong | places). I have found as many documents as one could expect describind | how to build a LDAPv3 server, or how to build samba with ldap. This | far, I have failed, and have a BIG confution in the order in wich the | things should go: | | In one document, they recommend this: | | samba -> ldap -> sasl -> kerberos (so, the passwords gets stored in the | kerberos database, at least that's what they says, but..... does the | samba schema do this in fact? does the samba passwords will be kept in | the kerberos database?, or it just store the passwords in the ldap's | database). | | In other (simplier): | | samba -> ldap | and: | kerberos -> ldap (thus, storing the kerberos passwords in the ldap | (duh...)). | | All that I'm trying to do is to get a PDC with a directory service, but | I need it to be secure (that's why I'm bothering with kerberos). | Anyway, I would like to know: in wich order should I build the thing?: | | Build orders: | | 1. kerberos, next sasl, next ldap, next samba (configured for samba -> | ldap -> sasl -> kerberos). | 2. ldap, next samba (just samba -> ldap, without kerberos password | storing). | | Also, If I use the option 1, should the windows clients use a kerberos | client?, or they just login as usual. Has anybody tested something like | this? | | My system: | | Hardware: | + Athlon XP 1500+, 512Mb RAM (133). | | Software: | + Slackware 9.1 (with kernel 2.6.5), and most recent upgrades of all | packages. | + OpenLDAP 2.2.8 | + kerberos: MIT kerberos 1.3.2 (read somewhere that it has thread | issues, I'm thinking to move to heimdal, any sujestions?), heimdal 0.6.1. | + samba 3.0.2a | + cyrus sasl 2.1.18 | + berkley db 4.2.52 | + open ssl 0.9.7d. | | Thanks in advance for your help, | | Sincerely, | | Ildefonso Camargo | [EMAIL PROTECTED] | If you have no *NIX clients, then you couldn't yet get any serious benefit from using Kerberos for Windows clients. So in this case I would suggest to build OpenSSL, OpenLDAP, and then Samba. Configure a certificate authority, if you don't want to use a commercially available one. Create certificates for your OpenLDAP server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS or SSL connections. Configure Samba, to connect using TLS or SSL to your LDAP server. In this way you can achieve the maximum security from the ldap+samba setup.
Cheers
Geza -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAfX9h/PxuIn+i1pIRApxzAJ9jOQgVFSwrjYtDxMsRpYYxqpljFACfe1y2 9h71XzzfzI9GHBvlEG535x4= =BNeG -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba