Re: [Samba] Authentification against kerberos / sssd
- Date: Tue, 11 Dec 2018 18:19:01 +0100
- From: walk2sun via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Authentification against kerberos / sssd
Am 11.12.18 um 15:36 schrieb tseegerkrb via samba:
On 11.12.18 15:23, Rowland Penny via samba wrote:
On Tue, 11 Dec 2018 15:09:39 +0100
tseegerkrb via samba <samba@xxxxxxxxxxxxxxx> wrote:
a quick question. Right now I have a combination of MIT Kerberos,
OpenLDAP and SSSD for authenticating my users. Is there a way that
Samba can use this setup to perform user authentication. I only want
to access the shares of the Samba server from about 8 Windows
computers. I am aware that I cannot make an Active Directory out of
The samba 3 Code supports openldap as store for users, machines, groups
and other things you need.
At the moment I have stored the users in a local passdb, which works
but is very unpleasant.
This is really bad. I asume that you mean your userdb for samba are
local tdb files.
Switch to ldapsam.
That is why Microsoft came up with domains ;-)
If you look at Active Directory, it is basically composed of kerberos,
ldap and dns., so you can replace your kerberos and ldap servers with a
Samba AD DC, this also come with winbind which will replace sssd.
There is just one possible fly in the ointment, you mention MIT & sssd,
is this using a red-hat OS ?
If it is, you cannot use the OS packages to create an AD DC, or if you
can (Fedora), it shouldn't be used in production.
thanks for your answer but I don't want to replace my kerberos & ldap
setup with an AD server. Basically I only want to control access to the
handful of Samba shares.
Your users should auth against openldap with exop control enabled.
Openldap should handover the auth to kerberos. And then install
slapo-smbk5pwd on your openldap server. This overlay will sync the samba
Hint: I have never used sssd and i am sure i will never do. For this
classic samba setup i prefer nslcd as pam and nss provider. Winbind will
If you are interesting i such a setup i am willing to help.
To unsubscribe from this list go to the following URL and read the