[Samba] Samba with LDAP Intergration

Dave Ewart davee at ceu.ox.ac.uk
Wed Apr 18 16:07:07 GMT 2007


On Monday, 16.04.2007 at 16:06 +0100, James Ray wrote:

> I am trying to work out if the current setup is possible: I would like
> to have Samba running to authenticate shares for /home directories
> running under FC6. All of my users are posixAccount's in an LDAP
> Directory.
> 
> I would like to use this information to authenticate these shares but
> without making any changes to the LDAP Directory itself (so including
> no new objects or schema changes).
> 
> Is there any way to do this? All my previous attempts have led to the
> Samba server doing a search on objectClass=sambaSamAccount which I of
> course would rather not have. Is it just possible to use the standard
> password attribute for authentication? Does anyone have a sample setup
> of such a situation?

I suspect this is not possible, for the following reason.  Windows
clients don't send the plain password across the network to the Samba
server, they send a password hash (typically the NT password hash).

This hash has to be compared with something in order to authenticate:
the standard LDAP userPassword hash is a different hash and so cannot be
used.  And you don't have the plain password from the client in order to
*create* a userPassword-style hash (MD5 or crypt or whatever) to compare
against LDAP.

There are two options:

1. Add the Samba schema - probably the best way;

2. Configure all your Windows clients to send plain passwords.  This is
almost certainly a really bad idea.

Dave.

-- 
Dave Ewart
davee at ceu.ox.ac.uk
Computing Manager, Cancer Epidemiology Unit
Cancer Research UK / Oxford University
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
Get key from http://www.ceu.ox.ac.uk/~davee/davee-ceu-ox-ac-uk.asc
N 51.7518, W 1.2016
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba/attachments/20070418/1b7ba073/attachment.bin


More information about the samba mailing list