-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Andrew Bartlett �rta: | On Sat, Apr 10, 2004 at 12:09:49PM +0200, Sensei wrote: | |>Hi. |> |>I've built an afs cell, a kerberos kdc, an openldap server, all |>kerberized. Now all linux clients can login on the cell using k5 |>authentication, finding informations about their home dirs with ldap. |>Their home reside on the afs cell, which allows r/w access since it |>releases a token from the k5 ticket. All macosx clients can login as |>well... but what about windows? ^___^;;; |> |>I've been sent here from a kerberos group, telling me samba could be |>useful. |> |>I'd like to avoid creating windows users on every windows client... and |>I know I can set up an AD server, creating users on kerberos/afs/ldap |>AND the same users on AD... quite long... |> |>Is samba of any use? Can I grant tickets and tokens via samba, mapping |>windows home directories on the afs home dir? This information can be |>retrieved from openldap... | | | Samba cannot use the kerberos tickets directly - not unless the KDC is | Active Directory (for now). But it is possible for Samba to use the | same password store. (For NTLM, but not kerberos passwords) | | What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? | | If you are running Heimdal, what version? Could you run a current snapshot? | | While the work is still new, there is support in Heimdal to read Samba | password entries in LDAP. There is also an OpenLDAP plugin to set | both Samba and Kerberos passwords on password change. | | You would need to manually edit your LDAP database, to expose the | passwords in 'Samba' format - potentially a dump and restore of the | Heimdal entries might do it, if the sambaSamAccount objectClass was | added, and you used a current snapshot. | | (The type 23 arcfour-hmac-md5 enctype is the Samba NT password) | | Andrew Bartlett
The hdb-ldap.c (Heimdal using NTPassword) changes seems to be integrated in current Heimdal snapshots. Where could we find the LDAP password synchronization patch, what OpenLDAP version does it applies to?
Thanks,
Geza -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAeO62/PxuIn+i1pIRAvt0AJ9jgl3BQMwfg804KbVxZwlanZBC7ACfZdq3 GqIuSOGmrosslTD0BuZ7hVg= =U9Ef -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
