[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)

Andrew Bartlett abartlet at samba.org
Fri Sep 4 20:13:59 UTC 2015 

On Thu, 2015-09-03 at 21:12 -0700, John Hixson wrote:
> On Fri, Sep 04, 2015 at 12:05:56PM +1200, Andrew Bartlett wrote:
> > On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> > > Hi,
> > > 
> > > I am in a position where I would like to have LDAP authentication
> > > for
> > > CIFS shares, but cannot modify the LDAP server. The LDAP server
> > > is 
> > > Open
> > > Directory and does not have the Samba schema included or
> > > configured. 
> > > I
> > > only have read only access, a keytab, and possibly a read only
> > > bind
> > > user. Is this possible?
> > 
> > Oddly, I've had a client ask me much the same thing, and the
> > approach I
> > am recommending to them is to use that keytab, and have Samba
> > accept
> > kerberos logins as you suggest below.
> > 
> > > I have attempted to get this working in various ways. I tried 
> > > enabling
> > > plaintext auth and relying on PAM for authentication (this works
> > > for 
> > > 3.x,
> > > but not 4.x, why is that?). 
> > 
> > We busted plaintext auth in 4.x.  The patch is trivial (it is in a
> > bug
> > somewhere), but I got stubborn and refused to apply it.  My
> > argument
> > was that we needed a test for it, as otherwise we would just break
> > it
> > again, and that needs some work in our auth stack to force use of
> > not
> > -pam, and then to put a password in nss_wrapper. 
> > 
> > Plaintext auth is a bad idea anyway, it should be avoided where
> > possible.
> > 
> > > I have also tried to use kerberos, but am
> > > hitting several brick walls just because I'm not familiar with
> > > how to
> > > handle host principals correctly on OS X. 
> > 
> > Do you have any update on that?  Kerberos should be the right way,
> > but
> > I'm stuck in a similar spot with my client.  We kept on having the
> > ticket come back as 'service expired'. 
> > 
> > It seems it should be as simple as: 
> > kadmin -l
> > kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> > Max ticket life [unlimited]:
> > Max renewable life [unlimited]:
> > Principal expiration time [never]:
> > Password expiration time [never]:
> > Attributes []:
> > Policy [default]:
> >  
> > kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> > kadmin> exit
> 
> This is exactly the problem I am having on OS X. 
> 
> - John

Thanks for the confirmation.  I'll let you and the list know when we
figure this out.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list