[Samba] pam_winbind vs. pam_ldap ?
Dr. Lars Hanke
lars at lhanke.de
Tue Feb 3 02:13:19 MST 2015
Am 03.02.2015 um 03:54 schrieb Andrey Repin:
> Greetings, All!
>
> I'm using Samba 3.6 and OpenLDAP currently.
> The core configuration has been done eons ago, and I'm not quite sure it is
> actual any more. I see a number of PAM-related errors every time the system
> boot up. One concerning me is
> Jan 28 02:31:21 daemon1 perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=darkdragon,dc=lan" (Invalid credentials)
> Is this a broken PDC configuration (how can I fix it, if yes?) or I can just
> remove libpam-ldap since I'm using libpam-winbind anyway?
Despite the credential issue should not occur, traditional pam_ldap for
user authentication is a very bad idea. It sends plain text passwords
over network, unless you force TLS, which of course requires to set up a
PKI for your net.
If you do not want that and don't want to go for Kerberos, then winbind
is a sensible option. However, using winbind for NSS also has its own
potential to drive you nuts. ;)
Concerning the error message: pam_ldap tries to bind to LDAP using the
DN shown and fails. The DN is configured as something like "rootDN" in
the pam_ldap config. It could be that the password is alos in the config
file, but better practice is to have it in a seperate file, usually
casse *.secret. The file name should in turn be configured inthe PAM
configuration. The description fits more to libnss-ldap, but I recall
that it was not much different for pam-ldap.
Regards,
- lars.
More information about the samba
mailing list