samba - Jun 2002 - SAMBA + LDAP Single Signon Achieved

Hello all!!

I have partially achieved full single-signon, synched passwords with
Samba 2.2.5 and OpenLDAP 2.0.25 on Mandrake 8.2.

I can change my PDC password from a Win2K box and it synchs the
Linux/Unix/LDAP password correctly.  I can change my password from Linux
using 'passwd' and it synchs the PDC password.

Samba is the PDC, and uses LDAP as the smbpasswd backend.

This all works using PAM, pam_ldap, nss_ldap and pam_smbpasswd.

All the communication with LDAP (from pam_ldap and Samba) is done over
SSL, so the security of the authenticator connections is subject to the
strength of the SSL layer, which we all know is pretty much a "whatever
you want" issue (with known limitations, beyond scope of this post).

However, among the important issues remaining - this one is for this
mailing list:

- I need to be able to replace pam_smbpasswd with pam_winbind or
equivalent - i.e., a pam module that allows me to authenticate against a
PDC, and request a password change from a PDC as opposed to changing the
tokens directly (like pam_smbpasswd does).  pam_winbind does NOT work
with a Samba PDC (to my knowledge and experience, at least).

Any suggestions?  Anybody know if/when pam_winbind will be able to do
what I need?

I COULD implement the module myself, using the authentication code from
libsmbclient (as it pertains to logging on to resources), and password
update code from smbpasswd (when told to change the password on a remote
machine), although I don't see this as a trivial issue, and I also see
limitations because of the PDC's authentication protocol not being
supported by PAM (hence the coming of winbind).

Getting user lists from a PDC is NOT desirable, as we will always be
using Samba on Linux for PDC duties and will thus be able to get the
info from LDAP (with the same userids all over).

I hope somebody has figured this out.

I'd be glad to provide details, configurations, etc, on how to
accomplish the same setup I have.

Best

Diego Rivera

On 23 Jun 2002, Diego Rivera wrote:
> Hello all!!
> 
> I have partially achieved full single-signon, synched passwords with
> Samba 2.2.5 and OpenLDAP 2.0.25 on Mandrake 8.2.
> 
> I can change my PDC password from a Win2K box and it synchs the
> Linux/Unix/LDAP password correctly.  I can change my password from Linux
> using 'passwd' and it synchs the PDC password.
> 
> Samba is the PDC, and uses LDAP as the smbpasswd backend.
> 
> This all works using PAM, pam_ldap, nss_ldap and pam_smbpasswd.
> 
> All the communication with LDAP (from pam_ldap and Samba) is done over
> SSL, so the security of the authenticator connections is subject to the
> strength of the SSL layer, which we all know is pretty much a
"whatever
> you want" issue (with known limitations, beyond scope of this post).
Cool!! Any big hurdles??
> However, among the important issues remaining - this one is for this
> mailing list:
> 
> - I need to be able to replace pam_smbpasswd with pam_winbind or
> equivalent - i.e., a pam module that allows me to authenticate against a
> PDC, and request a password change from a PDC as opposed to changing the
> tokens directly (like pam_smbpasswd does).  pam_winbind does NOT work
> with a Samba PDC (to my knowledge and experience, at least).
> 
> Any suggestions?  Anybody know if/when pam_winbind will be able to do
> what I need?
What is it you are really trying to do? You cannot have both a samba
DC and a WIN DC in the same domain. What am I missing??
> 
> I COULD implement the module myself, using the authentication code from
> libsmbclient (as it pertains to logging on to resources), and password
> update code from smbpasswd (when told to change the password on a remote
> machine), although I don't see this as a trivial issue, and I also see
> limitations because of the PDC's authentication protocol not being
> supported by PAM (hence the coming of winbind).
> 
> Getting user lists from a PDC is NOT desirable, as we will always be
> using Samba on Linux for PDC duties and will thus be able to get the
> info from LDAP (with the same userids all over).
Same question as above.
> I hope somebody has figured this out.
> 
> I'd be glad to provide details, configurations, etc, on how to
> accomplish the same setup I have.
I am very interested in what you did to get this working. I have not
tried with 2.2.5 yet but I need to do this. Our hdq is moving in Sept.
and I do not want to move the NT P/BDC machines. If I can get the 
functionality I need form samba+LDAP, they are them gone!! 
What you did is a big part of that.

-- 
.............Tom	"Nothing would please me more than being able to 
tdiehl@rogueind.com	hire ten programmers and deluge the hobby market 
			with good software." -- Bill Gates 1976

   			We are still waiting ....

Diego Rivera wrote:
> 
> Hello all!!
> 
> I have partially achieved full single-signon, synched passwords with
> Samba 2.2.5 and OpenLDAP 2.0.25 on Mandrake 8.2.
> 
> I can change my PDC password from a Win2K box and it synchs the
> Linux/Unix/LDAP password correctly.  I can change my password from Linux
> using 'passwd' and it synchs the PDC password.
> 
> Samba is the PDC, and uses LDAP as the smbpasswd backend.
> 
> This all works using PAM, pam_ldap, nss_ldap and pam_smbpasswd.
> 
> All the communication with LDAP (from pam_ldap and Samba) is done over
> SSL, so the security of the authenticator connections is subject to the
> strength of the SSL layer, which we all know is pretty much a
"whatever
> you want" issue (with known limitations, beyond scope of this post).
> 
> However, among the important issues remaining - this one is for this
> mailing list:
> 
> - I need to be able to replace pam_smbpasswd with pam_winbind or
> equivalent - i.e., a pam module that allows me to authenticate against a
> PDC, and request a password change from a PDC as opposed to changing the
> tokens directly (like pam_smbpasswd does).  pam_winbind does NOT work
> with a Samba PDC (to my knowledge and experience, at least).
Yes, it does.  You may however need to use Samba HEAD for winbindd
itself to function. 
> Any suggestions?  Anybody know if/when pam_winbind will be able to do
> what I need?
> 
> I COULD implement the module myself, using the authentication code from
> libsmbclient (as it pertains to logging on to resources), and password
> update code from smbpasswd (when told to change the password on a remote
> machine), although I don't see this as a trivial issue, and I also see
> limitations because of the PDC's authentication protocol not being
> supported by PAM (hence the coming of winbind).
Thats all pam_winbind does, btw.  It just goes over the winbind pipe
first, but that is all it actually does - winbindd then makes the same
call as smbpasswd does.
> Getting user lists from a PDC is NOT desirable, as we will always be
> using Samba on Linux for PDC duties and will thus be able to get the
> info from LDAP (with the same userids all over).
Make sure to set 'winbind use default domain' then, so winbind
doesn't
demand a 'domain\' prefix.  Again, this is only supported in HEAD.
> I hope somebody has figured this out.
> 
> I'd be glad to provide details, configurations, etc, on how to
> accomplish the same setup I have.
The other way to do this would be to implment a plugin for the ldap
server that changed both the unix and NT passwords at the same time - I
understand that this is supported, but I've not messed with it myself. 
That would allow you to just use pam_ldap on your Linux clients.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net