[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)

John Hixson john at ixsystems.com
Fri Sep 4 04:12:35 UTC 2015 

On Fri, Sep 04, 2015 at 12:05:56PM +1200, Andrew Bartlett wrote:
> On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> > Hi,
> > 
> > I am in a position where I would like to have LDAP authentication for
> > CIFS shares, but cannot modify the LDAP server. The LDAP server is 
> > Open
> > Directory and does not have the Samba schema included or configured. 
> > I
> > only have read only access, a keytab, and possibly a read only bind
> > user. Is this possible?
> 
> Oddly, I've had a client ask me much the same thing, and the approach I
> am recommending to them is to use that keytab, and have Samba accept
> kerberos logins as you suggest below.
> 
> > I have attempted to get this working in various ways. I tried 
> > enabling
> > plaintext auth and relying on PAM for authentication (this works for 
> > 3.x,
> > but not 4.x, why is that?). 
> 
> We busted plaintext auth in 4.x.  The patch is trivial (it is in a bug
> somewhere), but I got stubborn and refused to apply it.  My argument
> was that we needed a test for it, as otherwise we would just break it
> again, and that needs some work in our auth stack to force use of not
> -pam, and then to put a password in nss_wrapper. 
> 
> Plaintext auth is a bad idea anyway, it should be avoided where
> possible.
> 
> > I have also tried to use kerberos, but am
> > hitting several brick walls just because I'm not familiar with how to
> > handle host principals correctly on OS X. 
> 
> Do you have any update on that?  Kerberos should be the right way, but
> I'm stuck in a similar spot with my client.  We kept on having the
> ticket come back as 'service expired'. 
> 
> It seems it should be as simple as: 
> kadmin -l
> kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> Max ticket life [unlimited]:
> Max renewable life [unlimited]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> Policy [default]:
>  
> kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> kadmin> exit

This is exactly the problem I am having on OS X. 

- John

> 
> Sadly, that doesn't work for us yet.
> 
> > The last thing I tried was to
> > use pam_smbpass and have everyone ssh into the Samba server and have
> > their passwords stored locally in a TDB database.
> > 
> > Clearly there must be another way. I am not happy with any of these
> > methods. AD works out of the box with minimal fuss. Why can't LDAP? 
> > I've
> > reviewed the authentication code, and perhaps I am missing something,
> > but it seems straight forward to write an LDAP auth module that does 
> > not require the Samba LDAP schema.
> > 
> 
> The issue is that we need the NT or LM passwords, or someone to
> delegate checking them to. 
> 
> Ralph,
> 
> With all your work on vfs_fruit, I'm wondering if you have an
> experience or working set of steps for setting up Samba with Kerberos
> in an Apple OD domain?
> 
> Thanks,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT   
> https://catalyst.net.nz/services/samba
> 
> 
> 
> 
>

More information about the samba mailing list