Hi, I am in a position where I would like to have LDAP authentication for CIFS shares, but cannot modify the LDAP server. The LDAP server is Open Directory and does not have the Samba schema included or configured. I only have read only access, a keytab, and possibly a read only bind user. Is this possible? I have attempted to get this working in various ways. I tried enabling plaintext auth and relying on PAM for authentication (this works for 3.x, but not 4.x, why is that?). I have also tried to use kerberos, but am hitting several brick walls just because I'm not familiar with how to handle host principals correctly on OS X. The last thing I tried was to use pam_smbpass and have everyone ssh into the Samba server and have their passwords stored locally in a TDB database. Clearly there must be another way. I am not happy with any of these methods. AD works out of the box with minimal fuss. Why can't LDAP? I've reviewed the authentication code, and perhaps I am missing something, but it seems straight forward to write an LDAP auth module that does not require the Samba LDAP schema. Does anyone have any input here? I would really appreciate it. Thanks! - John
Andrew Bartlett
2015-Sep-04 00:05 UTC
[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:> Hi, > > I am in a position where I would like to have LDAP authentication for > CIFS shares, but cannot modify the LDAP server. The LDAP server is > Open > Directory and does not have the Samba schema included or configured. > I > only have read only access, a keytab, and possibly a read only bind > user. Is this possible?Oddly, I've had a client ask me much the same thing, and the approach I am recommending to them is to use that keytab, and have Samba accept kerberos logins as you suggest below.> I have attempted to get this working in various ways. I tried > enabling > plaintext auth and relying on PAM for authentication (this works for > 3.x, > but not 4.x, why is that?).We busted plaintext auth in 4.x. The patch is trivial (it is in a bug somewhere), but I got stubborn and refused to apply it. My argument was that we needed a test for it, as otherwise we would just break it again, and that needs some work in our auth stack to force use of not -pam, and then to put a password in nss_wrapper. Plaintext auth is a bad idea anyway, it should be avoided where possible.> I have also tried to use kerberos, but am > hitting several brick walls just because I'm not familiar with how to > handle host principals correctly on OS X.Do you have any update on that? Kerberos should be the right way, but I'm stuck in a similar spot with my client. We kept on having the ticket come back as 'service expired'. It seems it should be as simple as: kadmin -l kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL Max ticket life [unlimited]: Max renewable life [unlimited]: Principal expiration time [never]: Password expiration time [never]: Attributes []: Policy [default]: kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL kadmin> exit Sadly, that doesn't work for us yet.> The last thing I tried was to > use pam_smbpass and have everyone ssh into the Samba server and have > their passwords stored locally in a TDB database. > > Clearly there must be another way. I am not happy with any of these > methods. AD works out of the box with minimal fuss. Why can't LDAP? > I've > reviewed the authentication code, and perhaps I am missing something, > but it seems straight forward to write an LDAP auth module that does > not require the Samba LDAP schema. >The issue is that we need the NT or LM passwords, or someone to delegate checking them to. Ralph, With all your work on vfs_fruit, I'm wondering if you have an experience or working set of steps for setting up Samba with Kerberos in an Apple OD domain? Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
John Hixson
2015-Sep-04 04:12 UTC
[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
On Fri, Sep 04, 2015 at 12:05:56PM +1200, Andrew Bartlett wrote:> On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote: > > Hi, > > > > I am in a position where I would like to have LDAP authentication for > > CIFS shares, but cannot modify the LDAP server. The LDAP server is > > Open > > Directory and does not have the Samba schema included or configured. > > I > > only have read only access, a keytab, and possibly a read only bind > > user. Is this possible? > > Oddly, I've had a client ask me much the same thing, and the approach I > am recommending to them is to use that keytab, and have Samba accept > kerberos logins as you suggest below. > > > I have attempted to get this working in various ways. I tried > > enabling > > plaintext auth and relying on PAM for authentication (this works for > > 3.x, > > but not 4.x, why is that?). > > We busted plaintext auth in 4.x. The patch is trivial (it is in a bug > somewhere), but I got stubborn and refused to apply it. My argument > was that we needed a test for it, as otherwise we would just break it > again, and that needs some work in our auth stack to force use of not > -pam, and then to put a password in nss_wrapper. > > Plaintext auth is a bad idea anyway, it should be avoided where > possible. > > > I have also tried to use kerberos, but am > > hitting several brick walls just because I'm not familiar with how to > > handle host principals correctly on OS X. > > Do you have any update on that? Kerberos should be the right way, but > I'm stuck in a similar spot with my client. We kept on having the > ticket come back as 'service expired'. > > It seems it should be as simple as: > kadmin -l > kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL > Max ticket life [unlimited]: > Max renewable life [unlimited]: > Principal expiration time [never]: > Password expiration time [never]: > Attributes []: > Policy [default]: > > kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL > kadmin> exitThis is exactly the problem I am having on OS X. - John> > Sadly, that doesn't work for us yet. > > > The last thing I tried was to > > use pam_smbpass and have everyone ssh into the Samba server and have > > their passwords stored locally in a TDB database. > > > > Clearly there must be another way. I am not happy with any of these > > methods. AD works out of the box with minimal fuss. Why can't LDAP? > > I've > > reviewed the authentication code, and perhaps I am missing something, > > but it seems straight forward to write an LDAP auth module that does > > not require the Samba LDAP schema. > > > > The issue is that we need the NT or LM passwords, or someone to > delegate checking them to. > > Ralph, > > With all your work on vfs_fruit, I'm wondering if you have an > experience or working set of steps for setting up Samba with Kerberos > in an Apple OD domain? > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
Reasonably Related Threads
- Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
- Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
- LDAP + SASL (kerberos) password syncing
- Synology NAS Samba Upgrade breaks "Classic" domain membership
- error netbios aliases