[Samba] SAMBA + LDAP Single Signon Achieved

[Diego Rivera]

Hello all!!

I have partially achieved full single-signon, synched passwords with
Samba 2.2.5 and OpenLDAP 2.0.25 on Mandrake 8.2.

I can change my PDC password from a Win2K box and it synchs the
Linux/Unix/LDAP password correctly.  I can change my password from Linux
using 'passwd' and it synchs the PDC password.

Samba is the PDC, and uses LDAP as the smbpasswd backend.

This all works using PAM, pam_ldap, nss_ldap and pam_smbpasswd.

All the communication with LDAP (from pam_ldap and Samba) is done over
SSL, so the security of the authenticator connections is subject to the
strength of the SSL layer, which we all know is pretty much a "whatever
you want" issue (with known limitations, beyond scope of this post).

However, among the important issues remaining - this one is for this
mailing list:

- I need to be able to replace pam_smbpasswd with pam_winbind or
equivalent - i.e., a pam module that allows me to authenticate against a
PDC, and request a password change from a PDC as opposed to changing the
tokens directly (like pam_smbpasswd does).  pam_winbind does NOT work
with a Samba PDC (to my knowledge and experience, at least).

Any suggestions?  Anybody know if/when pam_winbind will be able to do
what I need?

I COULD implement the module myself, using the authentication code from
libsmbclient (as it pertains to logging on to resources), and password
update code from smbpasswd (when told to change the password on a remote
machine), although I don't see this as a trivial issue, and I also see
limitations because of the PDC's authentication protocol not being
supported by PAM (hence the coming of winbind).

Getting user lists from a PDC is NOT desirable, as we will always be
using Samba on Linux for PDC duties and will thus be able to get the
info from LDAP (with the same userids all over).

I hope somebody has figured this out.

I'd be glad to provide details, configurations, etc, on how to
accomplish the same setup I have.

Best

Diego Rivera