[CentOS] SMB shares and LDAP

Wed May 23 22:49:23 UTC 2012
Ross Walker <rswwalker at gmail.com>

On May 22, 2012, at 11:07 AM, aurfalien <aurfalien at gmail.com> wrote:

> On May 21, 2012, at 11:25 PM, Gordon Messmer wrote:
>> On 05/21/2012 03:17 PM, aurfalien wrote:
>>> Is there some kind of passwd backend option in my smb.conf that allows it to query my OpenLDAP server?
>> Presumably, you're trying to avoid a proper setup:
>> http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP
>> If you already have LDAP authentication and NSS set up, and you don't 
>> want to add Samba related attributes to your directory, you'd need to 
>> disable "encrypt passwords" in smb.conf and modify the Windows registry 
>> so that it sends your passwords in plain text:
>> http://www.encs.concordia.ca/helpdesk/howto/plain_password.html
>> Needless to say, the security of this configuration is awful, but not 
>> worse than if you're using OpenLDAP without SSL.
> Hi Gordon,
> What should my passdb backend be set to?
> Yes, you are correct, I'd rather dispense with having my ldap db be populated with Samba attributes.
> I've setup Samba + LDAP before, just unsure how to break the model.  I mean the docs are great for doing things proper, just unsure how to do it improper if you know what I mean.

Windows only authenticates CIFS with Kerberos, NTLM or plain text AFAIK.

If security is a concern this means you'll need a Kerberos system or SAM account database setup.

Kerberos is probably not an option at this point, which just leaves a SAM database of NTLM passwords.

For this scenario the database comes in two varieties (backends), openldap or passdb.

Openldap requires you to add the samba schema to your database and go through a period where it synchronizes the SAM passwords, basically implicitly trusting the client and recording the password sent to it if the password in the SAM DB is blank, if it isn't blank then authenticating the client.

Passdb is pretty much the same except the SAM database is kept externally so no need to change your openldap schema.

I do believe there is a way to use Samba+PAM to keep the passdb synchronized with the openldap by doing a samba password change whenever an openldap password change occurs, but it's pretty fragile.

Personally I always prefer Kerberos, but it can be a bitch to setup after the fact (all those UPNs and SPNs plus nodes and applications = pain).

Google search on site:samba.org