I am using SASL/GSSAPI
authenticate to Kerberos from OpenLDAP. I haven't
gotten that to work
To separate and modularize some of these services, we have three servers: A file server running Samba; A directory server running OpenLDAP to provide personal and group identities; and an authentication server running Kerberos (administered by another group). Samba connects to OpenLDAP through smbldap-tools. And OpenLDAP connects to the Kerberos server via SASL/GSSAPI.
When someone requests a Samba logon, Samba requests an LDAP bind, which in turn should use SASL to authenticate via Kerberos.
The connection between Samba and OpenLDAP is working swell. It is the Kerberos connection that has me flummoxed.
Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on one server, while the Kerberos KDC will be running on another server. I haven't found any documents that address this not-so-wacky design.
Almost all of the docs I found presume that I am setting up the KDC on the same server at OpenLDAP. In my case, the KDC is administered by another group who is willing to grant me access to Kerberos. However, none of the docs I've found offer help in setting up SASL/GSSAPI here and the Kerberos server elsewhere.
So when a document says, run kadmin.local, to generate a principle, that is not available to me. If I can ask specifically for what I want, I might be able to convince the kerberos administrators to do it for me, but I have to be pretty specific about what I want.
The docs I'm referring to are
Cyrus SASL for System AdministratorsIn several documents, it was suggested that before you try connecting OpenLDAP to Kerberos that you test to make sure your Kerberos configuration is working. That makes a lot of sense to me. So I want to perform a series of checks, but I don't know what those tests might be. Here's what I would like to test:
This project has been delayed weeks and weeks while I climb and climb up Samba, OpenLDAP, and Kerberos' very steep learning curve. So your prompt response will be hugely helpful.
Thanks in advance,
Specifics of my configuration:
Server Administrator & Programmer Analyst
Computing & Network Services
Information and Technology Services