[Samba] Samba 4 LDAP security

steve steve at steve-ss.com
Thu Jan 19 09:58:33 MST 2012


I'm using Samba 4 to serve Linux and win 7 clients.

I'd like to use GSSAPI to bind to the Samba 4 LDAP to extract the 
attributes I've added for the Linux clients.  nslcd advertises such 
support, but keeps telling me 'Unknown authentication method'. As a 
workaround I've done this:

I'm using nss-ldapd to map user attributes via nfs4 to the Linux 
clients. Works fine, but the binddn and bindpw have to be stored in 
/etc. nslcd runs as user nslcd and I have the permissions on 
/etc/nslcd.conf set to 0400 nslcd:nslcd. I've discovered that any user 
can do the bind, so it's not the Admin password that is needed.

Until I can get the kerberized bind working (probably never!), any 
comments about the security of this? Are there other processes where 
passwords have to be stored in a file?


More information about the samba mailing list