LDAP and smb

Wong Shin Neng wsn at sebasasia.com
Thu Sep 21 08:36:30 GMT 2000

Thanks again.  I did a little research on PAM.  It looks like a very promising way for authentication.  In fact, I didn't even know that most services on Linux uses PAM.  So far, the only service that I have implemented using LDAP is Qmail.  My LDAP server is OpenLDAP which I think has everything needed as an LDAP server in terms of cost, performance, scalibility and etc. It works very nicely and cleanly.  My next objective is to replace my LAN Windows NT server with a SAMBA server for File and Print service.  In terms of user authentication, I'll probably be doing what you've suggested.  That is standard UNIX authentication with SMB.  However, most clients are Win98 machine, therefore I've to think of SMB password encryption.  That is what is really worrying.  The SMB password file have to exist in order for Win98 client authentication.  Any suggestions?  Maybe I have to use the unix password sync, passwd chat, passwd program option in Samba configuration.  But it seem to defeat the purpose of a single point of administration and a single database.  Or do I wait for the next version of Samba?

----- Original Message ----- 
  From: Arthur DAlessandro 
  To: Wong Shin Neng 
  Sent: Thursday, September 21, 2000 9:47 AM
  Subject: RE: LDAP and smb

  Well yes, PAM-LDAP is Pluggable Application Module - LDAP (lightweight directory protocol) is a plugin for most unix platforms (including LINUX ).  You setup a LDAP Server on machine, what happens with the PAM is instead of going to the tradttional /etc/passwd, it will first look in the LDAP server, you have objects (users and groups) with certain attributes (like GIDnumber, home directory and the like.. )  Let me know if you have any questions, this was all confusing before I got into it, but now it makes life much easier.  You can get a free LDAP server like openldap, or buy one like Iplanet (netscape)  directory server..  The part about encryption is, the windows clients for SMB, windows wants to send encrypted passwords, which is normal, but when using the PAM, SMB looks to unix for authentication, and needs clear text passwords for this to occur.  This will most likely be fixed with the next version of samba,  but I don't see it as a big deal as email passwords are sent in clear text.   So unix says, I have a request for nwong, goes to ldap, if the user is valid, returns ok, if not check /etc/passwd..  If it finds it there, it sends ok, otherwise, the user is denied.  

  -----Original Message-----
  From: Wong Shin Neng [mailto:wsn at sebasasia.com]
  Sent: Wednesday, September 20, 2000 9:49 PM
  To: Arthur DAlessandro
  Subject: Re: LDAP and smb


  I'm kinda lost here. You are saying that with PAM-LDAP (or something similar), you can get the authentication and authorization of Linux (which I'm using) handled by a LDAP server?  If so, I don't understand the part of password encryption.  Anyway, I'll check out the PAM-LDAP and see what's it all about.  Thanks alot. 

  ----- Original Message ----- 

  From: Arthur DAlessandro 

  To: wsn at sebasasia.com 

  Sent: Wednesday, September 20, 2000 8:26 PM

  Subject: LDAP and smb


  You should see if there is a security plugin for your version of unix/linux (most do) which redirects all system security over to an LDAP server.  It works in the background, and you use standard UNIX authentication with SMB.  It works well, the only thing so far is you need to use unencrypted passwords, but as long as their all local machines, that shouldn't be a problem; in the event SMB traffic must flow over the big I, simply create a VPN to encrypt all date (the right way to do it anyway because of other plain text protocols ie.mail).  Hope this helps..



  On Linux, I think its called PAM-LDAP.


  -Arthur Dalessandro

  adalessandro at odione.com

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the samba mailing list