[Samba] Samba+e-Directory Working! (fwd)
abartlet at samba.org
Mon Oct 27 13:15:29 GMT 2003
On Mon, 2003-10-27 at 14:25, Chuck Stuettgen wrote:
> On Sun, 2003-10-26 at 00:32, Andrew Bartlett wrote:
> > > The exciting news is; I have Samba+e-Directory authentication working!
> > Not really...
> > >
> > > encrypt passwords = no
> > That really doesn't count as 'working'. Working would be actually using
> > ldapsam against edirectory. We have bugs out against that, it appears
> > that (at least certain versions of) edirectory does not follow the
> > relevant RFCs.
> How does not using encrypted passwords support your assertion that Samba
> is not using eDirectory for authentication?
I did not make that assertion. I however do assert that any solution
that relies on plaintext passwords is flawed, insecure and buggy.
There are a large number of know issues (starting with the need to patch
the clients, but much worse than that) with plaintext CIFS
authentication. Fundamentally, it is untested by Microsoft, with all
> The facts are:
> 1. Until I recompiled Samba to include the -with-ldapsam option I was
> not able to connect to the Samba shares.
I'm not sure where this fits in, but the point is moot.
> 2. There are no local user accounts contained in either the Linux passwd
> file or the Samba smbusers file.
> 3. Windows clients are using their Novell user id's and passwords when
> authenticating to the Samba shares.
> 4. With the appropriate pam_mkhomedir.so commands in /etc/pam.d/samba,
> the users home directory is automatically created the first time the
> user connects to the Samba server, and the user has full rights the
> 5. I can provide DSTRACE LDAP log files that clearly show the
> authentication process.
> There obviously is an issue with using encrypted passwords with Samba
> and eDirectory. But, given the above facts, I can not honestly see how
> you can say that Samba is not using eDirectory for authentication.
I am warning other users that that solution you suggest is not stable,
reliable nor long-term functional. It requires explicitly disabling
Microsoft's own security policies, and cannot be used in a PDC setting.
> If I am wrong, please enlighten me.
> > https://bugzilla.samba.org/show_bug.cgi?id=330
> Looking at this bug, the resolution is listed as "WONTFIX". Does this
> mean there are no plans to work with Novell on Samba/eDirectory support?
We are waiting for Novell to fix their product. There is little we can
do until they do that. (We rely on certain RFC-specified behaviour in
order to perform certain atomic updates).
> BTW I am using eDirectory 8.71 running on a NetWare 6.0 SP3 server.
> In case this post does not come across in the spirit that it is
> intended, please be aware that it is not meant to be combative in
> anyway. My ONLY goal is to use Samba in an eDirectory environment and
> contribute back to the Samba community my experiences in doing so.
> So far I have successfully setup two Samba servers and I am in the
> process of documenting the procedure. I will post the completed
> document on my website when I am satisfied that anyone can follow it.
I wish you luck, but strongly warn you to keep a very close eye on your
system's stability, particularly in relation to network drop-outs.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031028/66ccff63/attachment.bin
More information about the samba