Here is the requirement from the Samba 3.x, OpenLDAP and
MIT Kerberos integration to provide a single sign on:
The MIT Kerberos will soon have OpenLDAP pulug-in under
DAL (Database Abstraction Layer), so that the principal and the
related information can be stored on OpenLDAP.
If the same site has the Samba 3.x providing services for both
Linux and Windows users, having OpenLDAP as the data store,
then Kerberos and Samba will maintain different set of information
corresponding to the application, which are not integrated.
Following are the overheads:
i) the user will have to remember password for each of the
ii) the administrator will have to administer the account and
password policies of the same user separately for the respective
In such a case, if we provide an integration between Samba users
and MIT Kerberos users to have LDAP user password as the
common password it would mean single sign on.
Additionally we can integrate the policies between MIT Kerberos
and Samba to tighten the account and password policy