[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: authenticate from LDAP (samba PDC)



On  0, dman <dman@dman.ddts.net> wrote:
> On Tue, May 28, 2002 at 10:59:11AM +0930, Tom Cook wrote:
> | On  0, dman <dman@dman.ddts.net> wrote:
> | > 
> | > We're trying to move from lots of duplicate authentication data on
> | > different systems to having a single unified sign-on source by using
> | > LDAP.  I managed to get login and sshd to authentiate against an ldap
> | > server through pam.  It's cool and quite simple as well.
> | > 
> | > Now I want to make samba be the PDC for the windows machines and have
> | > it authenticate against the LDAP server as well.  The docs I've read
> | > seem to indicate that samba and pam don't play together that well.
> | > The only solution I can think of is to periodically rebuild the
> | > smbpasswd file from LDAP.
> | > 
> | > Does anyone have any suggestions as to the best way to achieve this?  
> | 
> | How will people change their passwords if you do this?
> 
> It would have to be through some other access to LDAP.

I think so.

> The info I've found that throws the monkey wrench into the whole
> scheme (well, apart from MS :-)) is this :
> 
> (http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.html)
>  3.3
>     Note that Samba always ignores PAM for authentication in the case
>     of encrypt passwords = yes. The reason is that PAM modules cannot
>     support the challenge/response authentication mechanism needed in
>     the presence of SMB password encryption. 
> 
>  8.3
>     ; encrypted passwords are a requirement for a PDC
>      ...
>     Encrypted passwords must be enabled.
> 
> I found this same information in some other documents.  Hmm, maybe if
> I specify the passwd program correctly then the password stored in
> LDAP can be updated through samba.  That isn't such a big deal, IMO,
> because other means can be devised (eg an authenticated web form
> submission over SSL or logging in to a nicely-behaved PAM-enabled *NIX
> box and using 'passwd').

Certainly if you use a web form to change passwords then you could
have it update both LDAP and smbpasswd.

> As it stands right now, there isn't any automated synchronization
> between the windows sytstems and the unix systems.  The unix systems

A good point.  Some synchronisation is better than none.

> are semi-automated through NIS.  Using LDAP would be a major
> improvement.  It would be less desirable, but also acceptable, if a
> win box was the domain controller, as long as it can authenticate
> against OpenLDAP running on a separate linux machine.

I am not sure, but I think there is a Novell product that will do this
for you.

If you are using NT 5.0, then it would seem that Kerbobos is an option
worth looking into:

http://www.usenix.org/publications/login/1998-5/brundrett.html

Also it is possible to replace GINA.dll to do authentication however
you want.  Have a look at:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winlogon_and_gina_start_page.asp

You *might* be able to pull the hashing code out of pam or login or
whatever on your linux system and get NT talking straight to your
LDAP.

Tom
-- 
Tom Cook
Information Technology Services, The University of Adelaide

"Beware of computer programmers that carry screwdrivers."
	- Leonard Brandwein

Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au

Attachment: pgpxDZCzNoC2k.pgp
Description: PGP signature


Reply to: