[Samba] SAMBA + LDAP Single Signon Achieved

Andrew Bartlett abartlet at samba.org
Sun Jun 23 17:05:02 GMT 2002

Diego Rivera wrote:
> Hello all!!
> I have partially achieved full single-signon, synched passwords with
> Samba 2.2.5 and OpenLDAP 2.0.25 on Mandrake 8.2.
> I can change my PDC password from a Win2K box and it synchs the
> Linux/Unix/LDAP password correctly.  I can change my password from Linux
> using 'passwd' and it synchs the PDC password.
> Samba is the PDC, and uses LDAP as the smbpasswd backend.
> This all works using PAM, pam_ldap, nss_ldap and pam_smbpasswd.
> All the communication with LDAP (from pam_ldap and Samba) is done over
> SSL, so the security of the authenticator connections is subject to the
> strength of the SSL layer, which we all know is pretty much a "whatever
> you want" issue (with known limitations, beyond scope of this post).
> However, among the important issues remaining - this one is for this
> mailing list:
> - I need to be able to replace pam_smbpasswd with pam_winbind or
> equivalent - i.e., a pam module that allows me to authenticate against a
> PDC, and request a password change from a PDC as opposed to changing the
> tokens directly (like pam_smbpasswd does).  pam_winbind does NOT work
> with a Samba PDC (to my knowledge and experience, at least).

Yes, it does.  You may however need to use Samba HEAD for winbindd
itself to function. 

> Any suggestions?  Anybody know if/when pam_winbind will be able to do
> what I need?
> I COULD implement the module myself, using the authentication code from
> libsmbclient (as it pertains to logging on to resources), and password
> update code from smbpasswd (when told to change the password on a remote
> machine), although I don't see this as a trivial issue, and I also see
> limitations because of the PDC's authentication protocol not being
> supported by PAM (hence the coming of winbind).

Thats all pam_winbind does, btw.  It just goes over the winbind pipe
first, but that is all it actually does - winbindd then makes the same
call as smbpasswd does.

> Getting user lists from a PDC is NOT desirable, as we will always be
> using Samba on Linux for PDC duties and will thus be able to get the
> info from LDAP (with the same userids all over).

Make sure to set 'winbind use default domain' then, so winbind doesn't
demand a 'domain\' prefix.  Again, this is only supported in HEAD.

> I hope somebody has figured this out.
> I'd be glad to provide details, configurations, etc, on how to
> accomplish the same setup I have.

The other way to do this would be to implment a plugin for the ldap
server that changed both the unix and NT passwords at the same time - I
understand that this is supported, but I've not messed with it myself. 
That would allow you to just use pam_ldap on your Linux clients.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list