If you want to see the order on how to compile them and get them to work then look at:
http://www.math.gatech.edu/~dijuremo/ldap/ If you have a Native Windows PDC and samba is acting as a secondary then you can have kerberos authentication against the windows PDC kerberos. This is done with a cross-realm authentication trick as I was told by Gerald Carter (one of the developers of samba). Samba 3 does not support kerberos auths without having a Windows PDC with Active Directory. If you do not have a native windows pdc then you need to authenticate against the passwords stored in tdbsam or ldapsam but not on kerberos. Diego On Wed, 14 Apr 2004, [ISO-8859-1] José Ildefonso Camargo Tolosa wrote: > Gémes Géza wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > If you have no *NIX clients, then you couldn't yet get any serious > > benefit from using Kerberos for Windows clients. > > So in this case I would suggest to build OpenSSL, OpenLDAP, and then > > Samba. Configure a certificate authority, if you don't want to use a > > commercially available one. Create certificates for your OpenLDAP > > server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS > > or SSL connections. Configure Samba, to connect using TLS or SSL to your > > LDAP server. In this way you can achieve the maximum security from the > > ldap+samba setup. > > > Cool. I'll try that one to make it start, and have something to begin > working with. > > I have *nix clients. See, what I mean to do is the following (not sure > if it can work): > > + Install a kerberos client on the windows workstations (somebody told > me that the win2k and up already have one (probably a non standard one)) > and, off course, on the *nix workstations. > + Make people autenticate to a KDC. > + Using the kerberos ticket, the user should be able to access his/her > folders on the samba server, without having to log into the samba again. > + The user should be able to login into her/his mail (a pop/imap server) > without having to put his/her password again (this one I already know it > works). > + Be able to use ldap to "centralize" the users (maybe the ldap as > backend to kerberos). > + Off course the profiles of mozilla and others would go into the > server, thus creating "roaming" profiles (this is a cosmetic one, first > I need the thing working). > > I'm not sure on how to make this, I have several options, but not sure > if it can be done (never seen something like this on the docs): > > 1. Make samba a kerberos service, so that samba autenticate to the users > using the kerberos mechanism: > > This implies this order: > > samba -> kerberos 5 -> ldap (can this actually be done?). (this reads: > samba asks kerberos, and kerberos asks ldap). > workstation -> kerberos 5 -> ldap (this is what would happend on the > client side). > > In this one, I'm not sure how the log-in would work, I think that the > workstations will not use a "domain", and hence would not use the > autentication methos provided by samba. > > 2. The option I have seen in many docs: > > samba -> ldap -> sasl -> kerberos (not sure how this one works, I guess > it is somthing like the ldap is a kerberos service, and users > autenticate to samba using the directory, but they doesn't use the > kerberos for autentication, this would mean that the SSO (single sign > on) would no work?). > > Any docs, any help is welcome, > > Thanks for the fast answer, and once again, thanks in advance for any > help on this, > > Sincerely, > > Ildefonso Camargo > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba