[Samba] pam_ldap

[Geddes]

On Mon, 5 May 2003, rossp at ppc.ucsc.edu wrote:

> > pam.conf)? I already searched the whole internet for more information
> > regarding this, but I could find anything similar which could help me.
> 
> hehe, yeah, you won't find enough, or at least I couldn't.  There are
> a number of things to understand and get working.
> 
> First off, you will need Samba 2.2.8a, nothing old.
> 
> Second off, you will need to compile it yourself and be sure to give
> "--with-pam --with-pam_smbpass --with-ldapsam" to the configure script
> before making and installing.
> 
> Then when your compiled version of samba is installed.  Make sure you
> have the ldap options set in your smb.conf file.  There *is*
> documentation on that much.
> 
> Also, do "smbpasswd -w" at your command prompt and give it the
> password samba should use to access the protected password attributes
> of the LDAP directory, this usually means your main LDAP admin
> password.
> 
> Now copy the samba.schema file from the "examples/LDAP" directory in
> your samba source directory to some place sensical, probably next to
> the rest of your LDAP schema files in "/etc/ldap/shcema/".  Add a line
> to your slapd.conf file:
> 
> "include         /etc/ldap/schema/samba.schema"
> 
> ...or something like that.  You probably also want to add some access
> control statements in your slapd.conf file to protect the samba
> password attributes.  You can find samples of these statements out
> there somewhere.
> 
> Restart your slapd and smbd and then you should be able to use the
> appropriate "smbpasswd -a" command to add the samba password
> attributes to an existing UNIX user's LDAP entry.  Then you should be
> able to log into the samba server from a windows machine.  After you
> successfully log in, manually check your test users LDAP entries to
> make sure it has the "lmPassword" and "ntPassword" attributes.  Then
> check your smbpasswd file manually to make sure it has *no* entry for
> the test user.  If so then you just successfully logged into your
> samba server with an LDAP user.
> 
> Now getting the password attributes to all stay in sync no matter how
> the password gets changed is a whole nother saga.  Be happy to write
> that one up too, but get the log in working first.
> 
> Good luck.
> 
> Ross Patterson
> Programmer/Analyst
> 831-459-2792
> rossp at ucsc.edu
> 1156 High St, Barn G, PP&C
> Santa Cruz, CA 95064
> 
> On Mon, 5 May 2003, Schelstraete Bart wrote:
> 
> > Hello,
> >
> > I have a -maybe stupid question regardin pam_ldap and Samba,and I really
> > hope that somebody can help me.
> >
> > I currently using pam_ldap so that users can login on the Unix machine
> > with their LDAP userid/password.
> > Now I want to configure Samba so that he also uses that pam_ldap for
> > that authentication. But please note that I only want to authenticate
> > tru the LDAP, so nothing else is stored in the LDAP server.
> >
> > Do somebody know if this is possible. If so , can somebody point me in
> > the correct direction (what do I need to modify in smb.conf and
> > pam.conf)? I already searched the whole internet for more information
> > regarding this, but I could find anything similar which could help me.
> >
> > Tnx in advance,
> >
> >          Bart
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> 
> 
> 


Hello Mr. Ross Patterson,

Finally it seems that there is a person that has achieved what I have been 
trying to do. So far I'am at the stage where I can log into my samba 
server and map drives from windows. The steps you have mentioned are 
exactly the same steps I have done.

I'am now at the stage where I'am trying to keep the passwords in sync. At 
this point to create a samba user from an existing user in the LDAP I do a 
smbpasswd -a <user> as root. This works well however, If a user tries to 
change his own passwd like this :

bash-2.05a$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
machine 127.0.0.1 rejected the password change: Error was : RAP86: The 
specified password is invalid.
Failed to change password for jgeddes12

So to get around this I'am using a script that authenicates the user to 
the tree and does an LDAP modify to change there password. However, this 
script has to be run at the command line of a linux box. So for windows, 
I thought that I might be able to use (in smb.conf): 
 
  password level = 8
  username level = 8
  encrypt passwords = yes
  unix password sync=yes
  passwd program = /usr/local/sbin/smbldap-passwd.pl %u
  passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
  *passwd:*all*authentication*tokens*updated*successfully*
to run the script when the user changes there password with windows. 

This doesn't work and may be due to windows sending a hashed password that 
doesn't match the hash created with mkntpwd called by smbldap-passwd.pl.
or maybe what I'am trying todo just can't be done.

I'am not sure what I can do to trouble shoot this problem. The error from 
windows seem to indicate that the password old passwords don't match, but 
this error message could be generic. I tried using ethereal to see what is 
going on and it seems to eventually bind to the LDAP tree as manager then 
does nothing and unbinds.

I'am very curious to see what you have done.... Note I'am not using samba 
as a PDC all I want to do is windows mappings to samba and have all the 
user info in LDAP.

-- 
Jeff Geddes, BSc(UNB)
Computer Systems Specialist
University of New Brunswick
Faculty of Computer Science
eMail: jgeddes at unb.ca
office: Rm. E119
phone : (506) 452-6102
fax   : (506) 453-3566