[Samba] Re: Windows->LDAP->Samba

Mont Rothstein mont.rothstein at gmail.com
Wed Nov 16 21:30:47 GMT 2005

Thank you for that description, that helps a lot.

I just recently stumbled across authconfig which I think edits nsswitch.conf

>From your description it sounds like I probably don't need pGina (
http://pgina.xpasystems.com/). I came across some references that lead me to
believe that it would be necessary on the Windows client for this to work.
Do you agree that pGina should not be necessary?

Thanks again,

On 11/16/05, paul kölle <paul at subsignal.org> wrote:
> Mont Rothstein wrote:
> > I am hoping someone can tell me if I am trying something that can't be
> done.
> Well, if I understood you corretly I'll say yes ;)
> Don't make it harder than it is, there are only three parties involved
> 1) Windows (the client)
> 2) Samba ("app server")
> 3) LDAP (authentication backend)
> Windows never talks directly to LDAP (at least not in this scenario), it
> always contacts samba, PDC or not. So the windows box asks samba "hey, I
> want to write to your disk..." and samba, being a sensitive piece of
> software insists: "Wait a minute, tell me who you are and prove this
> somehow, then I'll ask my backend if it knows you and if your proof
> holds true,...".
> The stupid windows client, not knowing that he speaks to the glory UNIX
> world sends its usual credentials, a string like MYWORSTATION\joe and a
> "secret" hash.
> Now samba looks for a UNIX user joe via the normal system calls used on
> unix and in its configured backend for the hash and all the other pieces
> needed in the windows world and not present on a normal unix system
> account. Samba absolutely DOES NOT CARE where the unix NAMES (+uid,gid)
> come from. They need to be known to the system where samba is installed,
> period.
> Fortunately, linux/unix has quite a few sources where names may come
> from. This is abstracted through the NSS interface and implemented by
> shared libraries whose names happen to be libnss_<servicename>.so. If
> you have a line like:
> passwd: files ldap
> in your /etc/nsswitch.conf, the system will ask libnss_files.so and
> libnss_ldap.so for the names and numbers commonly known as "accounts".
> In your case, you want to enable/disable/setup users in LDAP only. All
> you have to do is:
> 1. Instruct your system to fetch unix NAMES from ldap (nss_ldap).
> 2. Instruct samba to fetch the windows bits from ldap (passdb backend).
> couldn't stress this point of common misconception less, sorry.
> Paul
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list