[Samba] Samba/LDAP Authentication and SSL Conflicts

Bill Alexander bill.alexander at mrcmry.com
Thu Dec 5 22:00:01 GMT 2002 

I'm having a problem with Samba/LDAP authentication for Windows boxen
from my Samba PDC.  I've diagnosed as much as I can and fiddled with the
relevant settings I know of, but I'm not making any progress.  

I'm running stock Red Hat 8.0 with LDAP (OpenLdap 2.0.25) authentication
(fully tested and working).  I have Samba (ver. 2.2.5) set up as PDC,
which works flawlessly (all shares, roaming profiles, etc.) when using
smbpasswd for authentication.

However, when I rebuild Samba for LDAP authentication (edit samba.spec
to include the --with-ldap option, then rpmbuild -ba samba.spec and
reinstall the RPMs), I observe the following problem.

1) In my smb.conf, the "ldap ssl" option is unspecified, which should
default to "on".

2) Logon from Windows2000 (from a machine already joined to the domain)
is successful - LDAP authenticates the login.

3) However, shares are not visible (e.g. [profiles] and [homes]) because
Samba (on the PDC, which is also the share server) can't connect to the
LDAP server daemon.  Samba can't authenticate the share access request.

4) Set the option "ldap ssl = no" in smb.conf.  Restart Samba, but KEEP
THE WINDOWS SESSION LOGGED IN (login authentication complete).

5) Share access (on the Windows box) is now granted - Samba can connect
to the LDAP server and authenticate.  The [homes] share is successfully
shared with the already-logged-in Windows2000 session.

6) Logout of the Windows session.  Remember that the Samba option "ldap
ssl = no" is still set.

7) Logon to the Windows session is now broken.  The Windows box can't
access the LDAP authentication server, presumably because I turned off
SSL.

My diagnosis is that Win2kPro uses SSL for secure login but not for
share accesses?  Does this make any sense?  Seems like Samba is polling
different ports for the LDAP, and gets a response one way, but not the
other.

I've tried altering the SSL settings in ldap.conf, but turning these on
makes my Unix side logins fail (I'm not using the SSL capable libraries,
I think, and this conflicts with PAM, or something like that).

I have Samba logs for the events described above, but they're difficult
to export.  Hopefully the diagnosis above is enough, but if anyone has
an idea and the logs would help, I can try to post them as well.

The assorted HOWTOs and websites describing Samba/LDAP are a bit sketchy
on this point (i.e. the interaction of Windows/Samba/LDAP/SSL), and
don't directly address SSL's role in Windows authentication.  I just
can't decipher what it is that I'm missing.

Anybody got an idea for what I can try next?

Thanks in advance,

- Bill
-- 
Bill Alexander <bill.alexander at mrcmry.com>
Mission Research Corporation

More information about the samba mailing list