[Samba] basic LDAP authentication to Samba share from existin g directory
Sean Boran
sean at boran.com
Thu Jun 30 23:51:45 MDT 2011
Hi,
Would it be thinkable that users change their password8s) via web
interface, such as *phpldapadmin*?
The Windows tool LdapAdmin can change both passwords at once, but its not
suitable for end users.
Newer versions of phpldapadmion do it too, but I've not yet checked to see
if the GUI is usable for end users..
Sean Boran
On 30 June 2011 15:50, Hoover, Tony <hoover at sal.ksu.edu> wrote:
> We use pGINA (www.pgina.org) to authenticate windows user logins via
> ldaps:// against the university directory. Don't know if that will fit
> your
> model, but it works for us.
>
>
> ----------------------------------------------
> Tony Hoover, Network Administrator
> KSU - Salina, College of Technology and Aviation
> (785) 826-2660
>
> "Don't Blend in..."
> ----------------------------------------------
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Brent Busby
> Sent: Wednesday, June 29, 2011 4:59 PM
> To: samba at lists.samba.org
> Subject: [Samba] basic LDAP authentication to Samba share from existing
> directory
>
> We have an existing LDAP directory in which users have UNIX passwords that
> are
> used for a variety of different services. We'd like to keep as close to
> having
> a single synchronized password service as possible, but we've run into an
> issue.
>
> There seem to be two ways of doing this, neither of which seem helpful:
>
> (1) "ldapsam"
> From looking at the Samba documentation that's available, it looks like
> there
> is no possibility of true password synchronization between NT passwords and
> UNIX. (Please correct me if that's not so -- I'd really like to be wrong!)
>
> You setup the samba.schema on the LDAP server, which gives you the
> sambaNTPassword objectClass (among others), and that stores the clients'
> Windows password. They still have regular UNIX password capability from
> the
>
> inetorgperson.schema. These are two separate password fields, provided by
> two
> different schemas, both belonging to the same user's LDAP account.
> Basically,
> you've got two account systems in the same user's LDAP data, completely
> separate. (Is all this true so far?)
>
> You use the ldapsam passdb backend to connect to Samba to your LDAP server,
> and
> when a Windows machine wants to change its NT password, it can use that
> backend
> to do it.
>
> None of this seems to be helping get any closer to allowing Windows clients
> to
> authenticate off of the same password database as our UNIX services....
> There's a utility called smbldap-populate, but all this seems to do is go
> through an existing user database and give the users the new Samba object
> classes if they don't have them. It doesn't really translate their UNIX
> passwords into NT passwords and fill them in, does it?
>
>
> (2) "pam_unix"
> On the other hand, there is a more apocryphal (and dangerous) way to do
> this,
> which does what we want, but is completely insecure:
>
> You can setup Samba to use pam_unix to authenticate, so that it is using
> the
>
> local UNIX security stack rather than its own ldapsam passdb, and then
> setup
>
> PAM to do LDAP auth at the UNIX level (the same way you would if you were
> setting the machine up to allow LDAP login for SSH or some other such UNIX
> service).
>
> The reason that's insecure is because since PAM doesn't know what to do
> with
> an
> encrypted NT password, it is necessary to setup both the Windows clients
> and
>
> the smb.conf on the Samba server for "encrypted passwords = no", which then
> makes it so that even if you're doing secure LDAP over SSL/TLS, you're
> still
>
> screwed because your passwords get sent from the Windows clients in
> cleartext.
> So you get:
>
> WINDOWS -> cleartext -> SAMBA -> ldap ssl/tls encrypted -> LDAP
>
> It's only encrypted for part of the trip, which isn't good enough at all.
>
> This method does however let you authenticate Windows clients directly off
> of
> an existing UNIX password database in LDAP, and works perfectly if you
> don't
>
> mind having passwords flying around in the clear on your LAN.
>
>
> Does anyone have any suggestions on this? I've poured over literally reams
> of
> Samba and LDAP documentation in the past week or so, looking for an answer
> to
> this. It hasn't helped that most of the documentation seems to be aimed at
> setting up Samba as a full scale NT Primary Domain Controller, with domain
> membership for machines and the whole nine yards. Many of these documents
> are
> much more elaborate than is (hopefully!) necessary for just doing LDAP
> password
> auth, and it's not clear from reading them how much of what is being
> described
> is required for basic authentication, and how much is just the writer
> taking
>
> advantage of everything Samba can do in one configuration. (Some of these
> howtos are thirty or forty pages long.) Also, many of them presume that
> you're
> starting from scratch, and that you don't have any existing users, and
> you're
> free to implement an LDAP namespace from an empty tree.
>
> Is there any way to LDAP-authenticate Samba from an existing user database
> with
> their existing UNIX passwords, without resorting to implementing a full PDC
> setup, or requiring that the Windows side use cleartext passwords, or
> ending
> up
> with two separate password fields (UNIX and NT)? (The later option almost
> seems to remove some of the motivation for using LDAP at all, since you end
> up
> with double-signon.
>
> Help and comments appreciated!
>
> --
> + Brent A. Busby + The New JFI Computing Web Site:
> + Sr. UNIX Systems Admin + http://jficomputing.uchicago.edu/
> + University of Chicago +
> + Physical Sciences Div. + For problem reports and requests:
> + James Franck Institute + email: sysadmin at jfi.uchicago.edu
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list