Hello,
I am using LDAP as passdb and idmap backends with Samba 3.0.3, and have
a problem with the configuration of 'ldap admin dn'. Currently, I have
to set the password for this DN with 'smbpasswd -w' (which works) and
Samba is doing simple LDAP binds then.
I would prefer a GSSAPI based LDAP authentication, which would have the
following advantages:
* the 'userPassword' attribute could be dropped (Samba is the only
sevice which is requiring it); supporting this attribute beside krb5
requires some effort on the LDAP server
* the authentication is passwordless; potential attackers can not hack
passwords (krb tickets are limited on time and probably uninteresting
for them)
* it would ease configuration with 'cfengine'; executing 'smbpasswd
-w<password>' is really bad since '<password>' appears
for a short
time in the processlist. Since the password is stored in a binary
format, it can not be modified in another way.
The practical usage of GSSAPI based auth would be:
1. configure a krb5 cache file (e.g. with $KRB5CCNAME, or an option in
smb.conf)
2. periodically (with a cronjob) write the ticket into this file (when
you are paranoid, this can happen on another machine and copied with
ssh)
3. on demand, samba uses ldap_sasl_bind() instead of ldap_simple_bind()
Am I missing somthing and such a setup is already supported by samba, or
is it a wishlist item?
Enrico