[Samba] Samba4 as a "plain LDAP" server?
Andrew Bartlett
abartlet at samba.org
Sun Mar 21 01:49:54 MDT 2010
On Wed, 2010-03-17 at 13:40 +0800, David Adam wrote:
> On Tue, 16 Mar 2010, SMC wrote:
> > On Monday 15 March 2010 22:42:41 Mike wrote:
> > > I may well be insane, but as soon as I read your question, I thought
> > > "how novel" and now want to find out the answer, myself.
> >
> > Well, not necessarily novel if I reword my question as "Would I still have to
> > maintain two separate authentication databases if I want to use Samba4 with
> > some non-Microsoft clients that don't have Samba installed?"
> >
> > For example, can Samba4 work with mail or web servers that can authenticate
> > via "LDAP", or simple Linux workstations that I don't necessarily want to
> > implement and maintain full-scale "ActiveDirectory(tm)"-mode authentication
> > for?
> >
> > The need to maintain two separate authentication databases has been my biggest
> > annoyance with Samba (I realize this isn't the fault of Samba but rather a
> > consequence of Microsoft's "special" password-hashing method). That means
> > if you don't use Samba every time you change your password, you end up with
> > your normal password and your Windows/Samba password out of sync.
>
> We use the smbk5pwd overlay for OpenLDAP to solve this problem - when you
> change your password using 'passwd' on a Linux machine or on a Windows
> machine, all password entries are updated.
I have to say that smbk5pwd and the hooks I added to Samba to make this
work have been a great stopgap for the past few years. (I also wrote
the original extensions to Heimdal to have it read the sambaNTPassword
attribute, and the other Samba flags. )
With Samba4, the restrictions we have in the AD design (much closer
integration with the KDC and LDAP server) have meant that these parts
must now be under Samba4's control.
I hope this clarifies things,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100321/5a560839/attachment.pgp>
More information about the samba
mailing list