[Samba] Samba4 as a "plain LDAP" server?

Andrew Bartlett abartlet at samba.org
Sun Mar 21 01:49:54 MDT 2010 

On Wed, 2010-03-17 at 13:40 +0800, David Adam wrote:
> On Tue, 16 Mar 2010, SMC wrote:
> > On Monday 15 March 2010 22:42:41 Mike wrote:
> > > I may well be insane, but as soon as I read your question, I thought
> > > "how novel" and now want to find out the answer, myself.
> > 
> > Well, not necessarily novel if I reword my question as "Would I still have to 
> > maintain two separate authentication databases if I want to use Samba4 with
> > some non-Microsoft clients that don't have Samba installed?"
> > 
> > For example, can Samba4 work with mail or web servers that can authenticate 
> > via "LDAP", or simple Linux workstations that I don't necessarily want to 
> > implement and maintain full-scale "ActiveDirectory(tm)"-mode authentication 
> > for?
> > 
> > The need to maintain two separate authentication databases has been my biggest
> > annoyance with Samba (I realize this isn't the fault of Samba but rather a 
> > consequence of Microsoft's "special" password-hashing method).  That means
> > if you don't use Samba every time you change your password, you end up with 
> > your normal password and your Windows/Samba password out of sync.
> 
> We use the smbk5pwd overlay for OpenLDAP to solve this problem - when you 
> change your password using 'passwd' on a Linux machine or on a Windows 
> machine, all password entries are updated.

I have to say that smbk5pwd and the hooks I added to Samba to make this
work have been a great stopgap for the past few years.  (I also wrote
the original extensions to Heimdal to have it read the sambaNTPassword
attribute, and the other Samba flags. )

With Samba4, the restrictions we have in the AD design (much closer
integration with the KDC and LDAP server) have meant that these parts
must now be under Samba4's control. 

I hope this clarifies things,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100321/5a560839/attachment.pgp>

More information about the samba mailing list