samba - Sep 2004 - Samba server authenticating to NetWare server?

Hello,

I've been Googling and O'Reillying around this problem for the last 
week without success, so I'm either stupid or it's not possible.  My 
money's still on stupid.

Can someone confirm that I can't do what I want to do:

- Have a SuSE 9.1 Linux box running Samba 3.0 exporting shares by SMB.
- Have users log into Windows boxes running a NetWare client, 
authenticating by NDS to a
   Netware 6.5 server.
- Have the Windows users mount SMB shares with an encrypted password 
that is
   authenticated by Samba against the NetWare server, either using NDS 
or LDAP.

If I've understood what I've read so far, a Samba server receiving an 
encrypted password with a mount request must have a local smbpasswd 
file to validate it.  Is there really no mechanism for passing the 
authentication buck to an NDS or LDAP server?

If this is true, it looks like my options are:

- Keep using our outdated, flaky NFS to Netware bridge until it drives 
me insane,
- Use plain-text passwords with the mount requests, or,
- Have separate local passwords on the Samba server.

Any suggestions gratefully received.

Chris
--
Dr Chris Richardson - sysadmin, Structural Biology Section, icr.ac.uk

Le mardi 21 Septembre 2004 15:29, Chris Richardson a
?crit?:
> Hello,
Hello
> I've been Googling and O'Reillying around this problem for the last
> week without success, so I'm either stupid or it's not possible. 
My
> money's still on stupid.
>
> Can someone confirm that I can't do what I want to do:
>
> - Have a SuSE 9.1 Linux box running Samba 3.0 exporting shares by SMB.
> - Have users log into Windows boxes running a NetWare client,
> authenticating by NDS to a Netware 6.5 server.
If I remember well, since Netware > 5, the NDS can be interrogated by LDAP 
clients.
> - Have the Windows users mount SMB shares with an encrypted password
> that is authenticated by Samba against the NetWare server, either using NDS
> or LDAP.
I did it a year ago against a eDirectory server, but I needed to extend its 
schema with the samba-nds.schema (that is include in samba).
> If I've understood what I've read so far, a Samba server receiving
an
> encrypted password with a mount request must have a local smbpasswd
> file to validate it.  Is there really no mechanism for passing the
> authentication buck to an NDS or LDAP server?
If you configure smbd to use LDAP as passdb, there might be no problem. Samba 
will read the encrypted password in the samba(NT|LM)Password attribute of the 
LDAP entry.

Good luck

-- 
Pierre Dinh-van

> Subject: Re: [Samba] Samba server authenticating to NetWare server?
> 
> Le mardi 21 Septembre 2004 15:29, Chris Richardson a ?crit?:
> > Can someone confirm that I can't do what I want to do:
> >
> > - Have a SuSE 9.1 Linux box running Samba 3.0 exporting shares by SMB.
> > - Have users log into Windows boxes running a NetWare client,
> > authenticating by NDS to a Netware 6.5 server.
Or if you want to wait a bit Novell are going to bring out Open server which
syncs POSIX, samba sids (samba 3.x) & Netware credentials in edirectory.
But you will apparently have to wait till after Jan 2005.  How much work do
you want to do?

Geoff.

>>> Pierre Dinh-van <pierre@tuxfamily.org> 09/21/04 2:42 PM
>>>
[About a Samba server authenticating to a Netware server by NDS or LDAP
with encrypted passwords]
> I did it a year ago against a eDirectory server, but I needed to
extend its 
> schema with the samba-nds.schema (that is include in samba).
>
> <...>
>
> If you configure smbd to use LDAP as passdb, there might be no
problem. Samba 
> will read the encrypted password in the samba(NT|LM)Password attribute
of the 
> LDAP entry.
I had thought of using this approach, but there's an organisational
problem to do with levels of trust.  I can get the samba schema
installed on the Netware server with a little persuasion.  But, as I
understand it, the Samba LDAP passdb plugin wants to have an
administrative user in the LDAP database that can change samba-related
attributes for each user.  This would take some political effort for me
to achieve, because the Netware server is run by a different group
within the organisation.

Using PAM modules, I can get linux logins authenticated against the
Netware/LDAP server without having to do anything to it (other than have
POSIX UID and GID information attributes added for each user).  I was
hoping there would be some (secure) way to do this for Samba.  It works
using PAM-Samba modules, but then Samba has to used unencrypted
passwords.  I guess I'm just being optimistic.

Thanks for the comments so far,

Chris