samba - Oct 2004 - samba with ldap and digest-md5

Hi all,

I am running samba-server-3.0.6-4.1.100mdk,  openldap-servers-2.1.25-6mdk, 
lib64sasl2-plug-digestmd5-2.1.15-10.1.100mdk.  I have searched through the 
lists and I am wondering if I am the only one doing this kind of set-up..

Anyway question is as follows:  In my ldap server I have normal posix 
accounts with plain text password that are sorted out by a sasl-regex in the 
slapd.conf and that works well.  With smb, how does it handle passwords 
between it and ldap and does anyone know of any special configuration 
settings should be in place to get it to work?  I have read the IDEALX doco 
and several contradictory ones so god knows which is right.  At the moment 
the smb server sees the request from a client (adding a pc to the domain), 
goes off to authenticate but comes back with invalid credentials for the 
"administrator" user.   I am almost sure it is because of the way
samba send
the password but I don't really know.

I know more about ldap than I do about samba so I am hoping to get some 
extra insight to how smb works.   Will samba work with sasl digest-md5 at 
all?

Here are relevant details from smb.conf:
   security = user
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd
   unix password sync = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
   pam password change = yes
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd
  obey pam restrictions = yes
  domain master = yes
  local master = yes
  domain logons = yes
add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u'
add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m 
'%u' '%g'
delete user from group script = /usr/share/samba/scripts/smbldap-groupmod.pl 
-x '%u' '%g'
set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g 
'%g' '%u'
add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g'
&&
/usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print 
$2}'
delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g'

passdb backend = ldapsam:ldaps://newser1.cpc.net.au smbpasswd guest
ldap admin dn = uid=administrator,ou=System,ou=People,dc=cpc
ldap port = 389
ldap suffix = dc=cpc
ldap machine suffix = ou=Hosts,ou=System
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts,ou=System
ldap user suffix = ou=Utiba,ou=People
ldap group suffix = ou=grpUtiba,ou=Group

smb.log :
  ldap_connect_system: Binding to ldap server ldaps://newser1.cpc.net.au as 
"uid=administrator,ou=System,ou=People,dc=cpc"
[2004/10/19 01:54:31, 2] lib/smbldap.c:smbldap_connect_system(796)
  failed to bind to server with dn= 
uid=administrator,ou=System,ou=People,dc=cpc Error: Invalid credentials

Regards,

Ben

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.com/

man, 18,.10.2004 kl. 06.40 +0000, skrev Ben Booble:
> Hi all,
> 
> I am running samba-server-3.0.6-4.1.100mdk,  openldap-servers-2.1.25-6mdk, 
> lib64sasl2-plug-digestmd5-2.1.15-10.1.100mdk.  I have searched through the 
> lists and I am wondering if I am the only one doing this kind of set-up..
> 
> Anyway question is as follows:  In my ldap server I have normal posix 
> accounts with plain text password that are sorted out by a sasl-regex in
the
> slapd.conf and that works well.  With smb, how does it handle passwords 
> between it and ldap and does anyone know of any special configuration 
> settings should be in place to get it to work?  I have read the IDEALX doco
> and several contradictory ones so god knows which is right.  At the moment 
> the smb server sees the request from a client (adding a pc to the domain), 
> goes off to authenticate but comes back with invalid credentials for the 
> "administrator" user.   I am almost sure it is because of the way
samba send
> the password but I don't really know.
> 
> I know more about ldap than I do about samba so I am hoping to get some 
> extra insight to how smb works.   Will samba work with sasl digest-md5 at 
> all?
No.
Samba uses it's own passwordhashes that are stored in the
sambaNTPassword and sambaLMpassword attributes to each user. The
passwordexchange between samba and the windowscomputers is done using
this passwordhash. So no digest-md5 there.

But: As samba doesn't relate to the userPassword attribute at all, you
may have digest-md5 for other uses, like mail etc.

Also, there is a patch to cyrus-sasl so that cyrus-sasl can use domain
to check if a user is authenticated. I haven't tested it, but if I've
understood the patch correctly then the patch may be used to grant
clients SSO to saslenabled services. (Abartlett: yes or no?)

Even if it doesn't do that, you'll get a more secure passwordexchange
than just plaintext for those clients.

Also, there's a module to Openldap 2.2.x that makes Openldap take over
the job of syncing passwords between the differen hashes stored in the
database. It might be worth looking at that.

Tarjei
> 
> Here are relevant details from smb.conf:
>    security = user
>    encrypt passwords = yes
>    smb passwd file = /etc/samba/smbpasswd
>    unix password sync = Yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
> *passwd:*all*authentication*tokens*updated*successfully*
>    pam password change = yes
>   encrypt passwords = yes
>   smb passwd file = /etc/samba/smbpasswd
>   obey pam restrictions = yes
>   domain master = yes
>   local master = yes
>   domain logons = yes
> add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
> delete user script = /usr/share/samba/scripts/smbldap-userdel.pl
'%u'
> add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m 
> '%u' '%g'
> delete user from group script =
/usr/share/samba/scripts/smbldap-groupmod.pl
> -x '%u' '%g'
> set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g 
> '%g' '%u'
> add group script = /usr/share/samba/scripts/smbldap-groupadd.pl
'%g' &&
> /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/
{print
> $2}'
> delete group script = /usr/share/samba/scripts/smbldap-userdel.pl
'%g'
> 
> passdb backend = ldapsam:ldaps://newser1.cpc.net.au smbpasswd guest
> ldap admin dn = uid=administrator,ou=System,ou=People,dc=cpc
> ldap port = 389
> ldap suffix = dc=cpc
> ldap machine suffix = ou=Hosts,ou=System
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap machine suffix = ou=Hosts,ou=System
> ldap user suffix = ou=Utiba,ou=People
> ldap group suffix = ou=grpUtiba,ou=Group
> 
> smb.log :
>   ldap_connect_system: Binding to ldap server ldaps://newser1.cpc.net.au as
> "uid=administrator,ou=System,ou=People,dc=cpc"
> [2004/10/19 01:54:31, 2] lib/smbldap.c:smbldap_connect_system(796)
>   failed to bind to server with dn= 
> uid=administrator,ou=System,ou=People,dc=cpc Error: Invalid credentials
> 
> Regards,
> 
> Ben
> 
> _________________________________________________________________
> Don't just search. Find. Check out the new MSN Search! 
> http://search.msn.com/
> 
-- 
Tarjei Huse <tarjei@nu.no>