Robert Markula
2009-Sep-01 14:48 UTC
[Samba] Samba authentication against Linux-based Kerberos
Hi, please consider the following situation in a heterogenous, Windows Server-less network, where users use both Windows and Linux: - On Windows users authenticate against a Samba 3.3.2 PDC with tdbsam backend. - On Linux users authenticate against a combination of OpenLDAP and Kerberos. This, of course, brings up the old problem that users have to synchronise their passwords manually for both Windows and Linux. The ideal solution would be that Samba would just support authentication against Linux-based Kerberos, but (correct me if I'm wrong) that doesn't seem possible with Samba3. Is there anything else that can be done? So if users on Windows can't use Linux-based Kerberos for SSO, maybe there is at least a way for users to change their passwords on one OS and get it automatically synced for the other (i.e. if a user changes his password on a Windows machine it gets automatically changed for his Linux account as well and vice versa)? Cheers, Robert
David Markey
2009-Sep-01 15:25 UTC
[Samba] Samba authentication against Linux-based Kerberos
Use the popular heimdal, openldap + smbk5pwd, samba3 combo This will keep samba/ldap/kerberos passwords in sync no matter how or where the password is changed. Otherwise you could do some pam hackery, perhaps stacking pam_winbind and pam_krb5 for password changing. You would have to do this on all the nodes on your network. and for the windows side of things you could write a password change script, which would be called by samba on a password change. On Tue, 01 Sep 2009 16:48:01 +0200, Robert Markula <robert.markula at gmx.net> wrote:> Hi, > please consider the following situation in a heterogenous, Windows > Server-less network, where users use both Windows and Linux: > > - On Windows users authenticate against a Samba 3.3.2 PDC with tdbsam > backend. > - On Linux users authenticate against a combination of OpenLDAP and > Kerberos. > > This, of course, brings up the old problem that users have to > synchronise their passwords manually for both Windows and Linux. > > The ideal solution would be that Samba would just support authentication > against Linux-based Kerberos, but (correct me if I'm wrong) that doesn't > seem possible with Samba3. > > Is there anything else that can be done? So if users on Windows can't > use Linux-based Kerberos for SSO, maybe there is at least a way for > users to change their passwords on one OS and get it automatically > synced for the other (i.e. if a user changes his password on a Windows > machine it gets automatically changed for his Linux account as well and > vice versa)? > > Cheers, > Robert
Apparently Analagous Threads
- RFE: OpenSSH Support for PKCS11 Funneling to PAM for Kerberos/PKINIT
- samba and kerberos doubt
- RFE: OpenSSH Support for PKCS11 Funneling to PAM for Kerberos/PKINIT
- RFE: OpenSSH Support for PKCS11 Funneling to PAM for Kerberos/PKINIT
- Authentification against kerberos / sssd