-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
If you have no *NIX clients, then you couldn't yet get any serious benefit from using Kerberos for Windows clients. So in this case I would suggest to build OpenSSL, OpenLDAP, and then Samba. Configure a certificate authority, if you don't want to use a commercially available one. Create certificates for your OpenLDAP server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS or SSL connections. Configure Samba, to connect using TLS or SSL to your LDAP server. In this way you can achieve the maximum security from the ldap+samba setup.
Cool. I'll try that one to make it start, and have something to begin working with.
I have *nix clients. See, what I mean to do is the following (not sure if it can work):
+ Install a kerberos client on the windows workstations (somebody told me that the win2k and up already have one (probably a non standard one)) and, off course, on the *nix workstations.
+ Make people autenticate to a KDC.
+ Using the kerberos ticket, the user should be able to access his/her folders on the samba server, without having to log into the samba again.
+ The user should be able to login into her/his mail (a pop/imap server) without having to put his/her password again (this one I already know it works).
+ Be able to use ldap to "centralize" the users (maybe the ldap as backend to kerberos).
+ Off course the profiles of mozilla and others would go into the server, thus creating "roaming" profiles (this is a cosmetic one, first I need the thing working).
I'm not sure on how to make this, I have several options, but not sure if it can be done (never seen something like this on the docs):
1. Make samba a kerberos service, so that samba autenticate to the users using the kerberos mechanism:
This implies this order:
samba -> kerberos 5 -> ldap (can this actually be done?). (this reads: samba asks kerberos, and kerberos asks ldap).
workstation -> kerberos 5 -> ldap (this is what would happend on the client side).
In this one, I'm not sure how the log-in would work, I think that the workstations will not use a "domain", and hence would not use the autentication methos provided by samba.
2. The option I have seen in many docs:
samba -> ldap -> sasl -> kerberos (not sure how this one works, I guess it is somthing like the ldap is a kerberos service, and users autenticate to samba using the directory, but they doesn't use the kerberos for autentication, this would mean that the SSO (single sign on) would no work?).
Any docs, any help is welcome,
Thanks for the fast answer, and once again, thanks in advance for any help on this,
Sincerely,
Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED]
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
