[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
abartlet at samba.org
Fri Sep 4 20:13:59 UTC 2015
On Thu, 2015-09-03 at 21:12 -0700, John Hixson wrote:
> On Fri, Sep 04, 2015 at 12:05:56PM +1200, Andrew Bartlett wrote:
> > On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> > > Hi,
> > >
> > > I am in a position where I would like to have LDAP authentication
> > > for
> > > CIFS shares, but cannot modify the LDAP server. The LDAP server
> > > is
> > > Open
> > > Directory and does not have the Samba schema included or
> > > configured.
> > > I
> > > only have read only access, a keytab, and possibly a read only
> > > bind
> > > user. Is this possible?
> > Oddly, I've had a client ask me much the same thing, and the
> > approach I
> > am recommending to them is to use that keytab, and have Samba
> > accept
> > kerberos logins as you suggest below.
> > > I have attempted to get this working in various ways. I tried
> > > enabling
> > > plaintext auth and relying on PAM for authentication (this works
> > > for
> > > 3.x,
> > > but not 4.x, why is that?).
> > We busted plaintext auth in 4.x. The patch is trivial (it is in a
> > bug
> > somewhere), but I got stubborn and refused to apply it. My
> > argument
> > was that we needed a test for it, as otherwise we would just break
> > it
> > again, and that needs some work in our auth stack to force use of
> > not
> > -pam, and then to put a password in nss_wrapper.
> > Plaintext auth is a bad idea anyway, it should be avoided where
> > possible.
> > > I have also tried to use kerberos, but am
> > > hitting several brick walls just because I'm not familiar with
> > > how to
> > > handle host principals correctly on OS X.
> > Do you have any update on that? Kerberos should be the right way,
> > but
> > I'm stuck in a similar spot with my client. We kept on having the
> > ticket come back as 'service expired'.
> > It seems it should be as simple as:
> > kadmin -l
> > kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> > Max ticket life [unlimited]:
> > Max renewable life [unlimited]:
> > Principal expiration time [never]:
> > Password expiration time [never]:
> > Attributes :
> > Policy [default]:
> > kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> > kadmin> exit
> This is exactly the problem I am having on OS X.
> - John
Thanks for the confirmation. I'll let you and the list know when we
figure this out.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba