Fabrizio Reale
2009-Nov-28 16:22 UTC
[Samba] Authenticate Samba with an LDAP w/o the schema
Hi all, I'd like to authenticate my fresh Samba installation against an LDAP server without the Samba schema. Obviously I cannot touch it. So I'd like to use LDAP just for the authentication without getting the UID and the other parameters from it. I can use the same UID, home folder and so on for all the users, the only important thing is to provide access only to the LDAP users. Is it possible? Thank you, Fabrizio
It's not possible because Windows doesn't use a uid for the authentication. It uses an user identificator called sambaSID, and in order to log into windows throught an LDAP server, you need to be in a Samba Domain. A Samba Domain also have a sambaSID. The last 3 numbers of a user sambaSID identify wich kind of user it is, administrator, machine, normal usr, etc. Furthermore a machine which is in a samba Domain needs also a samba account with a sambaSID. All the sambaAccounts for users, machines, administrators, groups, and so on, need some special attributes like the password. The password is encrypted in a different way than unix passwords, the attribute is called sambaNTPassword or sambaLMPassword dependings of the windows version. So, you can't make your windows login to a LDAP without "setting" your LDAP server. The other question is if you only use samba shares. If you want to give access to ldap users only.. I think that the only way that you have is to create some scripts to manage these, but it's not a very elegant solution. Getting the ldap users every x time, and smbpasswd to the new ones... The best solution is to make an include to the slapd.conf to the samba schema.. but if you doesn't own the server I think that the only way you have is to "think". LiPi 2009/11/28 Fabrizio Reale <fabrizio.reale at redomino.com>> Hi all, > I'd like to authenticate my fresh Samba installation against an LDAP server > without the Samba schema. Obviously I cannot touch it. > > So I'd like to use LDAP just for the authentication without getting > the UID and the other parameters from it. > I can use the same UID, home folder and so on for all the users, the only > important thing is to provide access only to the LDAP users. > > Is it possible? > > Thank you, > Fabrizio > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
There are a few ways you could do it, but none of them are good. Basically, the principle has to be that because you can't touch the LDAP server, you have to use user name/passwords for authentication. The situation is fundamentally the same as if you had your users listed in /etc/passwd, so all the same techniques should still work (albeit with modifications). Here are the options. Sorry I can't provide details, only outlines to get you started. - Turn off CHAP and use plain text passwords. VERY bad idea, but it should work. You will probably have to configure PAM to authenticate against the LDAP server - I'm not quite sure exactly how to do that. - Use smbpasswd to store the Samba passwords, and use Samba's various mechanisms to keep the passwords in sync between LDAP and smbpasswd. - What kind of LDAP server is it? It may offer some other mechanism that you can use. For instance, Active Directory would work easily by having your Samba server join the AD domain.> -----Original Message----- > From: samba-bounces at lists.samba.org [mailto:samba- > bounces at lists.samba.org] On Behalf Of Fabrizio Reale > Sent: Saturday, November 28, 2009 8:22 AM > To: samba at lists.samba.org > Subject: [Samba] Authenticate Samba with an LDAP w/o the schema > > Hi all, > I'd like to authenticate my fresh Samba installation against an LDAP > server > without the Samba schema. Obviously I cannot touch it. > > So I'd like to use LDAP just for the authentication without getting > the UID and the other parameters from it. > I can use the same UID, home folder and so on for all the users, the > only > important thing is to provide access only to the LDAP users. > > Is it possible? > > Thank you, > Fabrizio > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba