[Samba] Samba+e-Directory Working! (fwd)

Andrew Bartlett abartlet at samba.org
Mon Oct 27 13:15:29 GMT 2003 

On Mon, 2003-10-27 at 14:25, Chuck Stuettgen wrote:
> On Sun, 2003-10-26 at 00:32, Andrew Bartlett wrote:
> 
> > > The exciting news is; I have Samba+e-Directory authentication working!
> > 
> > Not really...
> > 
> > > 
> > >   encrypt passwords = no
> > 
> > That really doesn't count as 'working'.  Working would be actually using
> > ldapsam against edirectory.  We have bugs out against that, it appears
> > that (at least certain versions of) edirectory does not follow the
> > relevant RFCs.
> 
> 
> How does not using encrypted passwords support your assertion that Samba
> is not using eDirectory for authentication? 

I did not make that assertion.  I however do assert that any solution
that relies on plaintext passwords is flawed, insecure and buggy.  

There are a large number of know issues (starting with the need to patch
the clients, but much worse than that) with plaintext CIFS
authentication.  Fundamentally, it is untested by Microsoft, with all
that implies.

> The facts are:
> 
> 1. Until I recompiled Samba to include the -with-ldapsam option I was
> not able to connect to the Samba shares.

I'm not sure where this fits in, but the point is moot.

> 2. There are no local user accounts contained in either the Linux passwd
> file or the Samba smbusers file. 
> 3. Windows clients are using their Novell user id's and passwords when
> authenticating to the Samba shares.
> 4. With the appropriate pam_mkhomedir.so commands in /etc/pam.d/samba,
> the users home directory is automatically created the first time the
> user connects to the Samba server, and the user has full rights the
> directory. 
> 5. I can provide DSTRACE LDAP log files that clearly show the
> authentication process.
> 
> 
> There obviously is an issue with using encrypted passwords with Samba
> and eDirectory. But, given the above facts, I can not honestly see how
> you can say that Samba is not using eDirectory for authentication.

I am warning other users that that solution you suggest is not stable,
reliable nor long-term functional.  It requires explicitly disabling
Microsoft's own security policies, and cannot be used in a PDC setting.

> If I am wrong, please enlighten me.
> 
> 
> > https://bugzilla.samba.org/show_bug.cgi?id=330
> > 
> 
> Looking at this bug, the resolution is listed as "WONTFIX". Does this
> mean there are no plans to work with Novell on Samba/eDirectory support?

We are waiting for Novell to fix their product.  There is little we can
do until they do that.   (We rely on certain RFC-specified behaviour in
order to perform certain atomic updates).

> BTW I am using eDirectory 8.71 running on a NetWare 6.0 SP3 server. 
> 
> Finally, 
> 
> In case this post does not come across in the spirit that it is
> intended, please be aware that it is not meant to be combative in
> anyway.  My ONLY goal is to use Samba in an eDirectory environment and
> contribute back to the Samba community my experiences in doing so. 
> 
> So far I have successfully setup two Samba servers and I am in the
> process of documenting the procedure.  I will post the completed
> document on my website when I am satisfied that anyone can follow it.

I wish you luck, but strongly warn you to keep a very close eye on your
system's stability, particularly in relation to network drop-outs.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031028/66ccff63/attachment.bin

More information about the samba mailing list