[Samba] Re: SAMBA + LDAP Single Signon Achieved

Tom Diehl tdiehl at rogueind.com
Sun Jun 23 08:47:03 GMT 2002 

On 23 Jun 2002, Diego Rivera wrote:

> Hello all!!
> 
> I have partially achieved full single-signon, synched passwords with
> Samba 2.2.5 and OpenLDAP 2.0.25 on Mandrake 8.2.
> 
> I can change my PDC password from a Win2K box and it synchs the
> Linux/Unix/LDAP password correctly.  I can change my password from Linux
> using 'passwd' and it synchs the PDC password.
> 
> Samba is the PDC, and uses LDAP as the smbpasswd backend.
> 
> This all works using PAM, pam_ldap, nss_ldap and pam_smbpasswd.
> 
> All the communication with LDAP (from pam_ldap and Samba) is done over
> SSL, so the security of the authenticator connections is subject to the
> strength of the SSL layer, which we all know is pretty much a "whatever
> you want" issue (with known limitations, beyond scope of this post).

Cool!! Any big hurdles??

> However, among the important issues remaining - this one is for this
> mailing list:
> 
> - I need to be able to replace pam_smbpasswd with pam_winbind or
> equivalent - i.e., a pam module that allows me to authenticate against a
> PDC, and request a password change from a PDC as opposed to changing the
> tokens directly (like pam_smbpasswd does).  pam_winbind does NOT work
> with a Samba PDC (to my knowledge and experience, at least).
> 
> Any suggestions?  Anybody know if/when pam_winbind will be able to do
> what I need?

What is it you are really trying to do? You cannot have both a samba
DC and a WIN DC in the same domain. What am I missing??

> 
> I COULD implement the module myself, using the authentication code from
> libsmbclient (as it pertains to logging on to resources), and password
> update code from smbpasswd (when told to change the password on a remote
> machine), although I don't see this as a trivial issue, and I also see
> limitations because of the PDC's authentication protocol not being
> supported by PAM (hence the coming of winbind).
> 
> Getting user lists from a PDC is NOT desirable, as we will always be
> using Samba on Linux for PDC duties and will thus be able to get the
> info from LDAP (with the same userids all over).

Same question as above.

> I hope somebody has figured this out.
> 
> I'd be glad to provide details, configurations, etc, on how to
> accomplish the same setup I have.

I am very interested in what you did to get this working. I have not
tried with 2.2.5 yet but I need to do this. Our hdq is moving in Sept.
and I do not want to move the NT P/BDC machines. If I can get the 
functionality I need form samba+LDAP, they are them gone!! 
What you did is a big part of that.

-- 
.............Tom	"Nothing would please me more than being able to 
tdiehl at rogueind.com	hire ten programmers and deluge the hobby market 
			with good software." -- Bill Gates 1976

   			We are still waiting ....

More information about the samba mailing list