Hi, Here is my desired configuration: An external LDAP server, Samba 4.1.8 (not configured as a member server or as a domain controller), and SSSD configured with the external LDAP server. Authentication locally and via ssh works fine using pam_sss.so. When attempting to authenticate a share on windows using an LDAP users credentials, the request fails with NT_STATUS_ACCESS_DENIED. I'd like to do this without configuring samba at all to use LDAP, is this possible? - John
Separate "account management" from "authentication. LDAP is critical for account management, but the underlying authentication is usually Kerberos. You've neglected to say what is your base OS, so it's hard to be more specific than that, but I'd look at your relevant Kerberos setups and test if you can do 'kinit' to add Kerberos tickets. On Fri, Jun 6, 2014 at 1:36 PM, John Hixson <john at ixsystems.com> wrote:> Hi, > > Here is my desired configuration: > > An external LDAP server, Samba 4.1.8 (not configured as a member server > or as a domain controller), and SSSD configured with the external LDAP > server. Authentication locally and via ssh works fine using pam_sss.so. > When attempting to authenticate a share on windows using an LDAP users > credentials, the request fails with NT_STATUS_ACCESS_DENIED. I'd like to > do this without configuring samba at all to use LDAP, is this possible? > > - John > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Fri, 2014-06-06 at 10:36 -0700, John Hixson wrote:> Hi, > > Here is my desired configuration: > > An external LDAP server, Samba 4.1.8 (not configured as a member server > or as a domain controller), and SSSD configured with the external LDAP > server. Authentication locally and via ssh works fine using pam_sss.so. > When attempting to authenticate a share on windows using an LDAP users > credentials, the request fails with NT_STATUS_ACCESS_DENIED. I'd like to > do this without configuring samba at all to use LDAP, is this possible?By what process do you expect Samba to obtain the NT password hash, or to forward the NTLM response, what what would do the NTLM calculation to verify it? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba