To answer my own question.
Howard Chu, on the fedora-directory-users list, answered a slightly
different version of the same query from me and I think has put me out
of my misery :)
https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00165.html
Now, my University has recently implemented an enterprise AD sign-on
infrastructure that I could conceivable use for Samba Windows clients
(via one-way trust) but I'm not sure where that would leave Linux / OS X
machines. ('Course if I make all of *them* Samba clients....)
Jim
Jim Hogan wrote:
Michael, All,
I have been going back through the Samba archives looking to see if a
Samba+LDAP+Kerberos configuration is possible given my situation.
Mostly I see posts that say "You can't get there from here.", but I
don't want to give up too easily. My situation is this:
I have a new Samba 3.x domain with LDAP back end (using Fedora
Directory Server) and this stores user accounts for my university
department (about 300) and groups. For UID this Samba domain uses the
unique ID employed by the university. The university employs a very
mature SSO infrastructure that includes Kerberos. I would like my
Samba domain to use university Kerberos realm for authentication (SSO)
while I retain control over authorization and departmental
users/groups/shares. We have a mix of Windows, Macs and Linux, so a
generalizable Kerberos authentication has even more appeal.
I have seen Samba How-To docs on using client Kerberos in AD
environment with examples of smb.conf entries for this.
The Fedora Directory Server Wiki has a fairly straightforward entry on
how to use FDS with Kerberos:
http://directory.fedora.redhat.com/wiki/Howto:Kerberos
What I am not seeing is a way to combine the two -- configure Samba
clients as kerberos client but which then presents kerberos credential
to Samba backend (LDAP) to satisfy authentication. I can't find it,
but I saw one article that seemed to suggest storing Kerberos
credentials in LDAP NTPasswd field -- made it seem like LDAP/Samba
server would act like proxy for Samba client PCs -- but I am having a
hard time seeing how you could avoid having all client PCs act as
Kerberos clients.
Like I say, I see some "not possible" replies, but some of them are
pretty dated. I also see some replies (like this one from 2004:
http://lists.samba.org/archive/samba/2004-April/084387.html ) which
propose some slightly different ways of achieving similar ends, but
not quite what I want to accomplish.
Obviously, if anybody has already implemented the type of solution I
lay out, I would buy them lunch (real or virtual) if they would share
the details. Alternatively if anybody can authoritatively spell out
why this just won't work, then I guess I can move on to the "grieving"
stage :) If there is a grey area here, some opportunity to
experiment, well, I'm game.
Thanks!
Jim
Michael Schurter wrote:
Asier Baranguán wrote:
Hi!
Perhaps this is not the appropiate list, but I need some advices.
I have a working Samba PDC with a LDAP backend over a secure TLS
connection, with W2000 and XP clients. I've readed in a lot of
places that Kerberos is a very nice thing to have in the setup but I
cannot see why. I know the foundations of kerberos but I can't see
how much "value" will add to the setup.
I'm missing something? please, help.
Windows clients (as well as properly configured UNIX clients) will
use Kerberos to authenticate against your PDC and between one
another. The advantage Kerberos has is that it allows single sign
on: 2 clients both authenticate once against the PDC, and then they
can use their kerberos tickets to authenticate one another as well
(without having to manually login with usernames and passwords again).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba