[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)

Andrew Bartlett abartlet at samba.org
Sat Jan 19 18:51:23 UTC 2019

On Thu, 2019-01-10 at 23:42 -0800, Eric Altman via samba wrote:
> I am absolutely loathe to necro a thread like this so far in the
> future but
> that's kind of the point here...
> It's 2019 and as much as I've tried (everything in this thread and
> more...
> like trying some weird trickery with pam_exec), I can't figure this
> out.
> I have clients with huge and elaborate OD environments that I
> absolutely
> would never have access to the terminal/desktop of, much less the
> schema
> of. This precludes a lot of the methods of getting around this which
> usually involves some kind of access to the OD Server.
> Any progress on this or do I finally, after almost 2 and half years
> in some
> cases, tell clients this is never going to happen? (The frustration
> is at
> the situation, not anyone on the SAMBA team.)

I worked with a commercial client trying to find a way to make this
work, and despite quite some effort (trying to behave the same way the
Mac SMB server does, or even investigating having some agent on the OD
server) didn't make any useful progress, even to having a protocol. 

And that assumed some pretty privileged access to OD, which you don't

Essentially this was lost when we killed security=server, which isn't
compatible with NTLMv2 and isn't compatible with any form of session
signing (now pretty much required, at least at negotiation). 

Of course, you can still use Kerberos, that just requires you get a
keytab and set up DNS properly etc.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list