[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)

Andrew Bartlett abartlet at samba.org
Fri Sep 4 00:05:56 UTC 2015 

On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> Hi,
> 
> I am in a position where I would like to have LDAP authentication for
> CIFS shares, but cannot modify the LDAP server. The LDAP server is 
> Open
> Directory and does not have the Samba schema included or configured. 
> I
> only have read only access, a keytab, and possibly a read only bind
> user. Is this possible?

Oddly, I've had a client ask me much the same thing, and the approach I
am recommending to them is to use that keytab, and have Samba accept
kerberos logins as you suggest below.

> I have attempted to get this working in various ways. I tried 
> enabling
> plaintext auth and relying on PAM for authentication (this works for 
> 3.x,
> but not 4.x, why is that?). 

We busted plaintext auth in 4.x.  The patch is trivial (it is in a bug
somewhere), but I got stubborn and refused to apply it.  My argument
was that we needed a test for it, as otherwise we would just break it
again, and that needs some work in our auth stack to force use of not
-pam, and then to put a password in nss_wrapper. 

Plaintext auth is a bad idea anyway, it should be avoided where
possible.

> I have also tried to use kerberos, but am
> hitting several brick walls just because I'm not familiar with how to
> handle host principals correctly on OS X. 

Do you have any update on that?  Kerberos should be the right way, but
I'm stuck in a similar spot with my client.  We kept on having the
ticket come back as 'service expired'. 

It seems it should be as simple as: 
kadmin -l
kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
 
kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
kadmin> exit

Sadly, that doesn't work for us yet.

> The last thing I tried was to
> use pam_smbpass and have everyone ssh into the Samba server and have
> their passwords stored locally in a TDB database.
> 
> Clearly there must be another way. I am not happy with any of these
> methods. AD works out of the box with minimal fuss. Why can't LDAP? 
> I've
> reviewed the authentication code, and perhaps I am missing something,
> but it seems straight forward to write an LDAP auth module that does 
> not require the Samba LDAP schema.
> 

The issue is that we need the NT or LM passwords, or someone to
delegate checking them to. 

Ralph,

With all your work on vfs_fruit, I'm wondering if you have an
experience or working set of steps for setting up Samba with Kerberos
in an Apple OD domain?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba mailing list