[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
abartlet at samba.org
Fri Sep 4 00:05:56 UTC 2015
On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> I am in a position where I would like to have LDAP authentication for
> CIFS shares, but cannot modify the LDAP server. The LDAP server is
> Directory and does not have the Samba schema included or configured.
> only have read only access, a keytab, and possibly a read only bind
> user. Is this possible?
Oddly, I've had a client ask me much the same thing, and the approach I
am recommending to them is to use that keytab, and have Samba accept
kerberos logins as you suggest below.
> I have attempted to get this working in various ways. I tried
> plaintext auth and relying on PAM for authentication (this works for
> but not 4.x, why is that?).
We busted plaintext auth in 4.x. The patch is trivial (it is in a bug
somewhere), but I got stubborn and refused to apply it. My argument
was that we needed a test for it, as otherwise we would just break it
again, and that needs some work in our auth stack to force use of not
-pam, and then to put a password in nss_wrapper.
Plaintext auth is a bad idea anyway, it should be avoided where
> I have also tried to use kerberos, but am
> hitting several brick walls just because I'm not familiar with how to
> handle host principals correctly on OS X.
Do you have any update on that? Kerberos should be the right way, but
I'm stuck in a similar spot with my client. We kept on having the
ticket come back as 'service expired'.
It seems it should be as simple as:
kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
Sadly, that doesn't work for us yet.
> The last thing I tried was to
> use pam_smbpass and have everyone ssh into the Samba server and have
> their passwords stored locally in a TDB database.
> Clearly there must be another way. I am not happy with any of these
> methods. AD works out of the box with minimal fuss. Why can't LDAP?
> reviewed the authentication code, and perhaps I am missing something,
> but it seems straight forward to write an LDAP auth module that does
> not require the Samba LDAP schema.
The issue is that we need the NT or LM passwords, or someone to
delegate checking them to.
With all your work on vfs_fruit, I'm wondering if you have an
experience or working set of steps for setting up Samba with Kerberos
in an Apple OD domain?
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba