[Samba] Samba LDAP passthrough authentication to another openLDAP

Adam Tauno Williams awilliam at whitemice.org
Thu Feb 16 06:22:44 MST 2012


On Thu, 2012-02-16 at 21:10 +0800, Fajar Priyanto wrote:
> Hi all,
> I have a setup like this. Pls let me know if it's possible or not.
> SAMBA + Local LDAP ---> SASLAUTHD --> Global LDAP

No.  

Samba uses the sambaNTPassword attribute in it's LDAP schema which is a
crypt of the password.  You may be able to get plain-text authentication
to work but only by adjusting Samba *and* hacking the registry on every
client.

> Desc:
> I'd like to do Samba authentication to LDAP, passthrough to another
> LDAP using SASL.
> The current situation is:
> SSH authentication from LDAP user to that Samba box works.

That doesn't involve Samba unless you are using Kerberos or something
like pam_winbind / pam_smbpasswd [I don't even know which if any of
those are currently 'active'].

> However, smb authentication doesn't work (yet).
> This is what's shown in syslog when doing Samba authentication:
> Feb 16 20:47:05 sglabldap slapd[1393]: => access_allowed: read access
> to "uid=fajar,ou=people,dc=example,dc=com" "userPassword" requested

Looks like pam_ldap authentication to me.

There may be a way to proxy authentication via LDAP [there are jillions
of things you can do with LDAP] but I doubt involving saslauthd [plain
text authentication] is going to work very well.

-- 
System & Network Administrator [ LPI & NCLA ]
<http://www.whitemiceconsulting.com>
OpenGroupware Developer <http://www.opengroupware.us>
Adam Tauno Williams



More information about the samba mailing list