[Samba] Samba with legacy LDAP

Michael Heydon michaelh at jaswin.com.au
Wed Apr 22 08:29:52 GMT 2009 

Jorgen Lundman wrote:
> Standard ISP hosting with virtual users here. So we already have an 
> existing system setup, based around OpenLDAP data for customer 
> information. Currently for WWW hosting, users have FTP access. But FTP 
> seems to be a hurdle for certain users, so I was thinking about also 
> offering SMB access in parallel with FTP, so they could just MAP a 
> drive letter to their WWW area.
Connecting to SMB/CIFS over the internet tends to be extremely slow. I'm 
not sure why that should be the case, but having played with direct 
access over the internet vs over a VPN, the internet one is 
substantially slower (to the point of being practically unusable). That 
might be less of an issue if you are their ISP.

Mapping a drive could also cause problems. In the past I have had issues 
with very long delays opening My Computer when network drives are slow 
to respond. I've just tried to replicate this issue and it doesn't 
appear to be a problem in Vista but I have certainly seen it with some 
versions of XP.

> Currently the LDAP has user data in "qmail" and POSIX style schema, 
> which seems to be fairly common. (uidNumber, gidNumber, gecos, 
> homeDirectory etc). Currently passwords are stored in plain-text.
I hesitate to say that storing passwords in plain-text is "good", but in 
this case it will greatly simplify things. You will need to add the 
samba schema.

> 1) Can I make Samba lookup uid,gid,homeDirectory from LDAP directly? 
> The new privacy-laws do not allow us to use PAM for the customers as a 
> whole. I expected to be able to specify LDAP search filter, and a map 
> between our LDAP attributes and those Samba expects (which appear to 
> mostly overlap though). But this appears to have been removed?
Samba is able to talk to LDAP directly and fully understands the fields 
in the POSIX schema, there are plenty of OSs supported by Samba that 
don't use PAM (Slackware, AIX, probably the various BSDs).

> 2) Can I use the plain-text passwords directly, and avoid having to 
> store nt and lm passwords?
Not without having to make changes to how the client PCs will 
authenticate, so pretty much "no". However since you have the passwords 
in plaintext it isn't too much of a hassle to generate the hashes.

> Since with FTP you login as "ftpuser at example.com" with appropriate 
> password, I was hoping that users could connect to our samba server, 
> authenticating as "ftpuser at example.com" and same password. It would 
> then set the share path to the users homeDirectory 
> (/export/cust14/com/e/x/example/ftpuser/) and use their uid, gid.
Sounds reasonably straight forward.
>
> Are there other reasons why this could not be done? Anyone already 
> done something similar? Any pit-falls?
I'm not certain that it is a good idea, but it's not impossible.

*Michael Heydon - IT Administrator *
michaelh at jaswin.com.au <mailto:michaelh at jaswin.com.au>

More information about the samba mailing list