[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
John Hixson
john at ixsystems.com
Fri Sep 4 04:12:35 UTC 2015
On Fri, Sep 04, 2015 at 12:05:56PM +1200, Andrew Bartlett wrote:
> On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> > Hi,
> >
> > I am in a position where I would like to have LDAP authentication for
> > CIFS shares, but cannot modify the LDAP server. The LDAP server is
> > Open
> > Directory and does not have the Samba schema included or configured.
> > I
> > only have read only access, a keytab, and possibly a read only bind
> > user. Is this possible?
>
> Oddly, I've had a client ask me much the same thing, and the approach I
> am recommending to them is to use that keytab, and have Samba accept
> kerberos logins as you suggest below.
>
> > I have attempted to get this working in various ways. I tried
> > enabling
> > plaintext auth and relying on PAM for authentication (this works for
> > 3.x,
> > but not 4.x, why is that?).
>
> We busted plaintext auth in 4.x. The patch is trivial (it is in a bug
> somewhere), but I got stubborn and refused to apply it. My argument
> was that we needed a test for it, as otherwise we would just break it
> again, and that needs some work in our auth stack to force use of not
> -pam, and then to put a password in nss_wrapper.
>
> Plaintext auth is a bad idea anyway, it should be avoided where
> possible.
>
> > I have also tried to use kerberos, but am
> > hitting several brick walls just because I'm not familiar with how to
> > handle host principals correctly on OS X.
>
> Do you have any update on that? Kerberos should be the right way, but
> I'm stuck in a similar spot with my client. We kept on having the
> ticket come back as 'service expired'.
>
> It seems it should be as simple as:
> kadmin -l
> kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> Max ticket life [unlimited]:
> Max renewable life [unlimited]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> Policy [default]:
>
> kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> kadmin> exit
This is exactly the problem I am having on OS X.
- John
>
> Sadly, that doesn't work for us yet.
>
> > The last thing I tried was to
> > use pam_smbpass and have everyone ssh into the Samba server and have
> > their passwords stored locally in a TDB database.
> >
> > Clearly there must be another way. I am not happy with any of these
> > methods. AD works out of the box with minimal fuss. Why can't LDAP?
> > I've
> > reviewed the authentication code, and perhaps I am missing something,
> > but it seems straight forward to write an LDAP auth module that does
> > not require the Samba LDAP schema.
> >
>
> The issue is that we need the NT or LM passwords, or someone to
> delegate checking them to.
>
> Ralph,
>
> With all your work on vfs_fruit, I'm wondering if you have an
> experience or working set of steps for setting up Samba with Kerberos
> in an Apple OD domain?
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
More information about the samba
mailing list