[Samba] samba with ldap and digest-md5

Mon Oct 18 08:10:35 GMT 2004

man, 18,.10.2004 kl. 06.40 +0000, skrev Ben Booble:
> Hi all,
> 
> I am running samba-server-3.0.6-4.1.100mdk,  openldap-servers-2.1.25-6mdk, 
> lib64sasl2-plug-digestmd5-2.1.15-10.1.100mdk.  I have searched through the 
> lists and I am wondering if I am the only one doing this kind of set-up..
> 
> Anyway question is as follows:  In my ldap server I have normal posix 
> accounts with plain text password that are sorted out by a sasl-regex in the 
> slapd.conf and that works well.  With smb, how does it handle passwords 
> between it and ldap and does anyone know of any special configuration 
> settings should be in place to get it to work?  I have read the IDEALX doco 
> and several contradictory ones so god knows which is right.  At the moment 
> the smb server sees the request from a client (adding a pc to the domain), 
> goes off to authenticate but comes back with invalid credentials for the 
> "administrator" user.   I am almost sure it is because of the way samba send 
> the password but I don't really know.
> 
> I know more about ldap than I do about samba so I am hoping to get some 
> extra insight to how smb works.   Will samba work with sasl digest-md5 at 
> all?
No.
Samba uses it's own passwordhashes that are stored in the
sambaNTPassword and sambaLMpassword attributes to each user. The
passwordexchange between samba and the windowscomputers is done using
this passwordhash. So no digest-md5 there.

But: As samba doesn't relate to the userPassword attribute at all, you
may have digest-md5 for other uses, like mail etc.

Also, there is a patch to cyrus-sasl so that cyrus-sasl can use domain
to check if a user is authenticated. I haven't tested it, but if I've
understood the patch correctly then the patch may be used to grant
clients SSO to saslenabled services. (Abartlett: yes or no?)

Even if it doesn't do that, you'll get a more secure passwordexchange
than just plaintext for those clients.

Also, there's a module to Openldap 2.2.x that makes Openldap take over
the job of syncing passwords between the differen hashes stored in the
database. It might be worth looking at that.

Tarjei

> 
> Here are relevant details from smb.conf:
>    security = user
>    encrypt passwords = yes
>    smb passwd file = /etc/samba/smbpasswd
>    unix password sync = Yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
> *passwd:*all*authentication*tokens*updated*successfully*
>    pam password change = yes
>   encrypt passwords = yes
>   smb passwd file = /etc/samba/smbpasswd
>   obey pam restrictions = yes
>   domain master = yes
>   local master = yes
>   domain logons = yes
> add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
> delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u'
> add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m 
> '%u' '%g'
> delete user from group script = /usr/share/samba/scripts/smbldap-groupmod.pl 
> -x '%u' '%g'
> set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g 
> '%g' '%u'
> add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' && 
> /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print 
> $2}'
> delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g'
> 
> passdb backend = ldapsam:ldaps://newser1.cpc.net.au smbpasswd guest
> ldap admin dn = uid=administrator,ou=System,ou=People,dc=cpc
> ldap port = 389
> ldap suffix = dc=cpc
> ldap machine suffix = ou=Hosts,ou=System
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap machine suffix = ou=Hosts,ou=System
> ldap user suffix = ou=Utiba,ou=People
> ldap group suffix = ou=grpUtiba,ou=Group
> 
> smb.log :
>   ldap_connect_system: Binding to ldap server ldaps://newser1.cpc.net.au as 
> "uid=administrator,ou=System,ou=People,dc=cpc"
> [2004/10/19 01:54:31, 2] lib/smbldap.c:smbldap_connect_system(796)
>   failed to bind to server with dn= 
> uid=administrator,ou=System,ou=People,dc=cpc Error: Invalid credentials
> 
> Regards,
> 
> Ben
> 
> _________________________________________________________________
> Don't just search. Find. Check out the new MSN Search! 
> http://search.msn.com/
> 
-- 
Tarjei Huse <tarjei at nu.no>