Re: authenticate from LDAP (samba PDC)

To: debian-user@lists.debian.org
Cc: Tom Cook <tom.cook@adelaide.edu.au>
Subject: Re: authenticate from LDAP (samba PDC)
From: dman <dman@dman.ddts.net>
Date: Mon, 27 May 2002 22:54:14 -0500
Message-id: <[🔎] 20020528035414.GA19854@dman.ddts.net>
Mail-followup-to: debian-user@lists.debian.org, Tom Cook <tom.cook@adelaide.edu.au>
In-reply-to: <[🔎] 20020528012911.GG14721@brain>
References: <[🔎] 20020527193804.GA12227@dman.ddts.net> <[🔎] 20020528012911.GG14721@brain>

On Tue, May 28, 2002 at 10:59:11AM +0930, Tom Cook wrote:
| On  0, dman <dman@dman.ddts.net> wrote:
| > 
| > We're trying to move from lots of duplicate authentication data on
| > different systems to having a single unified sign-on source by using
| > LDAP.  I managed to get login and sshd to authentiate against an ldap
| > server through pam.  It's cool and quite simple as well.
| > 
| > Now I want to make samba be the PDC for the windows machines and have
| > it authenticate against the LDAP server as well.  The docs I've read
| > seem to indicate that samba and pam don't play together that well.
| > The only solution I can think of is to periodically rebuild the
| > smbpasswd file from LDAP.
| > 
| > Does anyone have any suggestions as to the best way to achieve this?  
| 
| How will people change their passwords if you do this?

It would have to be through some other access to LDAP.

The info I've found that throws the monkey wrench into the whole
scheme (well, apart from MS :-)) is this :

(http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.html)
 3.3
    Note that Samba always ignores PAM for authentication in the case
    of encrypt passwords = yes. The reason is that PAM modules cannot
    support the challenge/response authentication mechanism needed in
    the presence of SMB password encryption. 

 8.3
    ; encrypted passwords are a requirement for a PDC
     ...
    Encrypted passwords must be enabled.

I found this same information in some other documents.  Hmm, maybe if
I specify the passwd program correctly then the password stored in
LDAP can be updated through samba.  That isn't such a big deal, IMO,
because other means can be devised (eg an authenticated web form
submission over SSL or logging in to a nicely-behaved PAM-enabled *NIX
box and using 'passwd').


As it stands right now, there isn't any automated synchronization
between the windows sytstems and the unix systems.  The unix systems
are semi-automated through NIS.  Using LDAP would be a major
improvement.  It would be less desirable, but also acceptable, if a
win box was the domain controller, as long as it can authenticate
against OpenLDAP running on a separate linux machine.

-D

-- 

The teaching of the wise is a fountain of life,
turning a man from the snares of death.
        Proverbs 13:14
 
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg

Attachment: pgp7hMiRjuYUD.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: authenticate from LDAP (samba PDC)
  - From: Tom Cook <tom.cook@adelaide.edu.au>

References:
- authenticate from LDAP (samba PDC)
  - From: dman <dman@dman.ddts.net>
- Re: authenticate from LDAP (samba PDC)
  - From: Tom Cook <tom.cook@adelaide.edu.au>

Prev by Date: CUPS Printing Problems: Hex Codes?
Next by Date: Re: authenticate from LDAP (samba PDC)
Previous by thread: Re: authenticate from LDAP (samba PDC)
Next by thread: Re: authenticate from LDAP (samba PDC)
Index(es):
- Date
- Thread