[Samba] LDAP authentication without Samba schema

John Hixson john at ixsystems.com
Wed Aug 12 13:18:54 UTC 2015


I am in a position where I would like to have LDAP authentication for
CIFS shares, but cannot modify the LDAP server. The LDAP server is Open
Directory and does not have the Samba schema included or configured. I
only have read only access, a keytab, and possibly a read only bind
user. Is this possible?

I have attempted to get this working in various ways. I tried enabling
plaintext auth and relying on PAM for authentication (this works for 3.x,
but not 4.x, why is that?). I have also tried to use kerberos, but am
hitting several brick walls just because I'm not familiar with how to
handle host principals correctly on OS X. The last thing I tried was to
use pam_smbpass and have everyone ssh into the Samba server and have
their passwords stored locally in a TDB database.

Clearly there must be another way. I am not happy with any of these
methods. AD works out of the box with minimal fuss. Why can't LDAP? I've
reviewed the authentication code, and perhaps I am missing something,
but it seems straight forward to write an LDAP auth module that does not
require the Samba LDAP schema. 

Does anyone have any input here? I would really appreciate it.


- John

More information about the samba mailing list