[Samba] LDAP authentication only with SAMBA

Angel Galindo Muñoz agalindo at ub.edu
Wed Dec 1 10:58:11 GMT 2004


	Well, I'll give you my point of view according to what I have 
understood in howto-collection and my samba experiencie:

	Using LDAP, Samba distinguishes two things:
	-a) authentication against the UN*X account
	-b) all the other SAMBA-accounting data (expiration, ntpassword , 
lmpassword,  ...).

	No matter if you use ldapsam , the users will still have to be 
authenticated against the UN*X accounts database. So, if you use NSS + 
PAM + LDAP you can do that those credentials be checked against the LDAP 
(using pamldap or pamunix) (pamunix is prefered because the passwd moves 
encrypted through the network).

	This way you can avoid using the LDAP posix scheme and put all 
SAMBA-accounting data on your files (smbpasswd...) and doing the first 
authentication against LDAP (posixaccount...) but you have to remember 
that you allways have to check LMPassword and NTPassword, which should 
also be set, and they are part of SAMBA accounting data.

	So, you'll have to set and change user's passwords both in LDAP and 
smbpassword file. This way I can't find any advantage on keeping ldap 
authentication but still having data on smbpasswd file. If you are going 
to authenticate agains LDAP I think is better to put all the data also 
on LDAP and it will be easier for you to maintain your accounting database.

	Hope it helps, James!

Adam Tauno Williams wrote:
>>This question has probably been asked before, but I would like to ask it
>>again. I know all about LDAP authentication between samba and a LDAP
>>service with the proper schema in place. You create a entry in the LDAP
>>database with all the samba privileges in place. I want to just
>>authenticate with a LDAP service and not use a special samba schema.
> No, not possible.  (Well you might be able to if you hack to disable
> encrypted passwords, etc... but I doubt it would work as a DC).
>> We use
>>LDAP to authenticate for telnet, ftp and proxy services. This LDAP service
>>is used for single sign on type of authentication so that the user does not
>>need to have dozens of passwords for different servers and services. I want
>>to use LDAP with samba for the same reason. I will create and entry on the
>>samba host in the samba smbpasswd file, but want to go against the LDAP
>>server for the password. Can this be done?
> This works, but must be done in collaberation with the Samba schema
> extensions.

Angel Galindo Muñoz
agalindo at ub.edu

More information about the samba mailing list