Hi,
I have a scenario were I only have OpenLDAP running for authing my Linux and Windows client.
Windows is using the pGina LDAP client to talk to my OpenLDAP server, no problems, working like a charm.
However I need to setup a simple Samba file server-only.
None of my Unix boxes have a compete /etc/passwd file as every one auths against OpenLDAP.
Is there some kind of passwd backend option in my smb.conf that allows it to query my OpenLDAP server?
Thanks in advance,
- aurf
On 05/21/2012 03:17 PM, aurfalien wrote:
Is there some kind of passwd backend option in my smb.conf that allows it to query my OpenLDAP server?
Presumably, you're trying to avoid a proper setup: http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_fi...
If you already have LDAP authentication and NSS set up, and you don't want to add Samba related attributes to your directory, you'd need to disable "encrypt passwords" in smb.conf and modify the Windows registry so that it sends your passwords in plain text: http://www.encs.concordia.ca/helpdesk/howto/plain_password.html
Needless to say, the security of this configuration is awful, but not worse than if you're using OpenLDAP without SSL.
On May 21, 2012, at 11:25 PM, Gordon Messmer wrote:
On 05/21/2012 03:17 PM, aurfalien wrote:
Is there some kind of passwd backend option in my smb.conf that allows it to query my OpenLDAP server?
Presumably, you're trying to avoid a proper setup: http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_fi...
If you already have LDAP authentication and NSS set up, and you don't want to add Samba related attributes to your directory, you'd need to disable "encrypt passwords" in smb.conf and modify the Windows registry so that it sends your passwords in plain text: http://www.encs.concordia.ca/helpdesk/howto/plain_password.html
Needless to say, the security of this configuration is awful, but not worse than if you're using OpenLDAP without SSL.
Hi Gordon,
What should my passdb backend be set to?
Yes, you are correct, I'd rather dispense with having my ldap db be populated with Samba attributes.
I've setup Samba + LDAP before, just unsure how to break the model. I mean the docs are great for doing things proper, just unsure how to do it improper if you know what I mean.
- aurf
On May 22, 2012, at 11:07 AM, aurfalien aurfalien@gmail.com wrote:
On May 21, 2012, at 11:25 PM, Gordon Messmer wrote:
On 05/21/2012 03:17 PM, aurfalien wrote:
Is there some kind of passwd backend option in my smb.conf that allows it to query my OpenLDAP server?
Presumably, you're trying to avoid a proper setup: http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_fi...
If you already have LDAP authentication and NSS set up, and you don't want to add Samba related attributes to your directory, you'd need to disable "encrypt passwords" in smb.conf and modify the Windows registry so that it sends your passwords in plain text: http://www.encs.concordia.ca/helpdesk/howto/plain_password.html
Needless to say, the security of this configuration is awful, but not worse than if you're using OpenLDAP without SSL.
Hi Gordon,
What should my passdb backend be set to?
Yes, you are correct, I'd rather dispense with having my ldap db be populated with Samba attributes.
I've setup Samba + LDAP before, just unsure how to break the model. I mean the docs are great for doing things proper, just unsure how to do it improper if you know what I mean.
Windows only authenticates CIFS with Kerberos, NTLM or plain text AFAIK.
If security is a concern this means you'll need a Kerberos system or SAM account database setup.
Kerberos is probably not an option at this point, which just leaves a SAM database of NTLM passwords.
For this scenario the database comes in two varieties (backends), openldap or passdb.
Openldap requires you to add the samba schema to your database and go through a period where it synchronizes the SAM passwords, basically implicitly trusting the client and recording the password sent to it if the password in the SAM DB is blank, if it isn't blank then authenticating the client.
Passdb is pretty much the same except the SAM database is kept externally so no need to change your openldap schema.
I do believe there is a way to use Samba+PAM to keep the passdb synchronized with the openldap by doing a samba password change whenever an openldap password change occurs, but it's pretty fragile.
Personally I always prefer Kerberos, but it can be a bitch to setup after the fact (all those UPNs and SPNs plus nodes and applications = pain).
Google search on site:samba.org
-Ross
-
aurfalien -
Gordon Messmer -
Ross Walker