samba - Jul 2014 - samba using external LDAP authentication

Trying to understand authentication..



In a blog, someone was asking about authentication for a remote LDAP server that
they had no admin privileges.

Thus could not get samba configured correctly.  He was pointed in the direction
of joining the domain.



This led me to my question... could not samba be configured to be read only?
Just to pass-through authentication.



Answer from Andrew Bartlett

No, it can't because it needs to read the password hashes, or have

some other service that can interpret challenge-response values.  That

 'other service' is the DC that you join (and that is why we join it).



My next question:



So when login authentication occurs for a Linux server (configured to
authenticate to LDAP server), what is reading the "password hashes"? I
thought it was just doing pass-through authentication (via PAM)

Also what is typical for ldap admins to do in This  case?   Provide a read only
type of admin login?





Chris H

On 07/01/14 09:55, Hendry, Chris wrote:
> Trying to understand authentication..
>
>
>
> In a blog, someone was asking about authentication for a remote LDAP server
that they had no admin privileges.
>
> Thus could not get samba configured correctly.  He was pointed in the
direction of joining the domain.
>
>
>
> This led me to my question... could not samba be configured to be read
only? Just to pass-through authentication.
>
>
>
> Answer from Andrew Bartlett
>
> No, it can't because it needs to read the password hashes, or have
>
> some other service that can interpret challenge-response values.  That
>
>   'other service' is the DC that you join (and that is why we join
it).
>
>
>
> My next question:
>
>
>
> So when login authentication occurs for a Linux server (configured to
authenticate to LDAP server), what is reading the "password hashes"? I
thought it was just doing pass-through authentication (via PAM)
>
> Also what is typical for ldap admins to do in This  case?   Provide a read
only type of admin login?
>
>
>
>
>
> Chris H
There seems to be two ways linux servers can do authentication.

The first one is that the LDAP client  config uses a proxy account. The 
proxy account  has sufficient access to read the password hashes from 
from LDAP.    when a linux user logins in, the linux server takes the 
password that has been entered , hashes it  and compares it to the   
hash in ldap.      In this case if you run "getent shadow" as root you
will see hashed entries of ldap users.    This means potentially any 
user with local root access can dump the hashes and run  password cracker.


The 2nd approach is where the linux machine does relay the 
authentication request to the ldap server.  I think (but not 100% sure) 
that specifically what is happening is that the user's credentials are 
to ask the ldap server if the password provided matches the one in 
LDAP.  This is a compare request not an actual read data.


In Fedora, if you are using SSSD for authentication the 2nd approach is 
used.    Older versions of fedora make have needed a proxy account 
approach instead.


In LDAP you can create access control entries that allow specific users 
or groups or members of containers to have very controlled access rights 
to specific fields.   (e.g. the ability for a user to write to his own 
password and telephone fields. )       An LDAP account used by samba 
DC's would need read/write access in a container in LDAP but not in the 
entire LDAP tree.