Eric Altman
2019-Jan-11 07:42 UTC
[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
I am absolutely loathe to necro a thread like this so far in the future but that's kind of the point here... It's 2019 and as much as I've tried (everything in this thread and more... like trying some weird trickery with pam_exec), I can't figure this out. I have clients with huge and elaborate OD environments that I absolutely would never have access to the terminal/desktop of, much less the schema of. This precludes a lot of the methods of getting around this which usually involves some kind of access to the OD Server. Any progress on this or do I finally, after almost 2 and half years in some cases, tell clients this is never going to happen? (The frustration is at the situation, not anyone on the SAMBA team.) [image: LumaForge] <http://www.lumaforge.com/> *Eric Altman *// C T O M 818.861.6563 <+18188616563> E eric at lumaforge.com <eric at lumaforge.com> W lumaforge.com 1311 South Flower St. Burbank, CA 91502
Andrew Bartlett
2019-Jan-19 18:51 UTC
[Samba] Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)
On Thu, 2019-01-10 at 23:42 -0800, Eric Altman via samba wrote:> I am absolutely loathe to necro a thread like this so far in the > future but > that's kind of the point here... > > It's 2019 and as much as I've tried (everything in this thread and > more... > like trying some weird trickery with pam_exec), I can't figure this > out. > > I have clients with huge and elaborate OD environments that I > absolutely > would never have access to the terminal/desktop of, much less the > schema > of. This precludes a lot of the methods of getting around this which > usually involves some kind of access to the OD Server. > > Any progress on this or do I finally, after almost 2 and half years > in some > cases, tell clients this is never going to happen? (The frustration > is at > the situation, not anyone on the SAMBA team.)I worked with a commercial client trying to find a way to make this work, and despite quite some effort (trying to behave the same way the Mac SMB server does, or even investigating having some agent on the OD server) didn't make any useful progress, even to having a protocol. And that assumed some pretty privileged access to OD, which you don't have. Essentially this was lost when we killed security=server, which isn't compatible with NTLMv2 and isn't compatible with any form of session signing (now pretty much required, at least at negotiation). Of course, you can still use Kerberos, that just requires you get a keytab and set up DNS properly etc. Sorry! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba