samba - May 2012 - would like to use samba3 pdc, no ldap account backend db, but use ldap for authN

I'd like to:

1) use samba3 as a PDC, and
2) not use LDAP as the account backend database, and
3) specify samba to use but use "encrypt passwords = true", and
4) use an ldap server as the authentication source for samba.

Is that possible?

I'd assumed it would be given that samba is pam-aware, and I can tell pam to
use ldap for authN.

However, the man page for smb.conf seems to say no, as it says that "obey
pam restrictions = true" will be ignored when "encrypt password"
is set to true.

Am I understanding this correctly?  Is there a work-around?  I don't want to
add the samba schema to my existing ldap server, but I do want to use my
existing ldap server for authN.

Thanks,

-- 
Jon Detert
Sr. Systems Administrator
Infinity Healthcare
Milwaukee, Wisconsin
414-290-6759

On Tue, May 15, 2012 at 04:54:37PM -0500, Jon Detert
wrote:
> I'd like to:
> 
> 1) use samba3 as a PDC, and
> 2) not use LDAP as the account backend database, and
> 3) specify samba to use but use "encrypt passwords = true", and
> 4) use an ldap server as the authentication source for samba.
> 
> Is that possible?
> 
> I'd assumed it would be given that samba is pam-aware, and
> I can tell pam to use ldap for authN.
> 
> However, the man page for smb.conf seems to say no, as it
> says that "obey pam restrictions = true" will be ignored
> when "encrypt password" is set to true.
> 
> Am I understanding this correctly?  Is there a
> work-around?  I don't want to add the samba schema to my
> existing ldap server, but I do want to use my existing
> ldap server for authN.
No, this is not possible. Samba never sees the plain text
password which is required for authentication via PAM.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de