[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)

Andrew Bartlett abartlet at samba.org
Fri Sep 4 00:05:56 UTC 2015

On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> Hi,
> I am in a position where I would like to have LDAP authentication for
> CIFS shares, but cannot modify the LDAP server. The LDAP server is 
> Open
> Directory and does not have the Samba schema included or configured. 
> I
> only have read only access, a keytab, and possibly a read only bind
> user. Is this possible?

Oddly, I've had a client ask me much the same thing, and the approach I
am recommending to them is to use that keytab, and have Samba accept
kerberos logins as you suggest below.

> I have attempted to get this working in various ways. I tried 
> enabling
> plaintext auth and relying on PAM for authentication (this works for 
> 3.x,
> but not 4.x, why is that?). 

We busted plaintext auth in 4.x.  The patch is trivial (it is in a bug
somewhere), but I got stubborn and refused to apply it.  My argument
was that we needed a test for it, as otherwise we would just break it
again, and that needs some work in our auth stack to force use of not
-pam, and then to put a password in nss_wrapper. 

Plaintext auth is a bad idea anyway, it should be avoided where

> I have also tried to use kerberos, but am
> hitting several brick walls just because I'm not familiar with how to
> handle host principals correctly on OS X. 

Do you have any update on that?  Kerberos should be the right way, but
I'm stuck in a similar spot with my client.  We kept on having the
ticket come back as 'service expired'. 

It seems it should be as simple as: 
kadmin -l
kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
kadmin> exit

Sadly, that doesn't work for us yet.

> The last thing I tried was to
> use pam_smbpass and have everyone ssh into the Samba server and have
> their passwords stored locally in a TDB database.
> Clearly there must be another way. I am not happy with any of these
> methods. AD works out of the box with minimal fuss. Why can't LDAP? 
> I've
> reviewed the authentication code, and perhaps I am missing something,
> but it seems straight forward to write an LDAP auth module that does 
> not require the Samba LDAP schema.

The issue is that we need the NT or LM passwords, or someone to
delegate checking them to. 


With all your work on vfs_fruit, I'm wondering if you have an
experience or working set of steps for setting up Samba with Kerberos
in an Apple OD domain?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba mailing list