On 0, dman <dman@dman.ddts.net> wrote: > On Tue, May 28, 2002 at 10:59:11AM +0930, Tom Cook wrote: > | On 0, dman <dman@dman.ddts.net> wrote: > | > > | > We're trying to move from lots of duplicate authentication data on > | > different systems to having a single unified sign-on source by using > | > LDAP. I managed to get login and sshd to authentiate against an ldap > | > server through pam. It's cool and quite simple as well. > | > > | > Now I want to make samba be the PDC for the windows machines and have > | > it authenticate against the LDAP server as well. The docs I've read > | > seem to indicate that samba and pam don't play together that well. > | > The only solution I can think of is to periodically rebuild the > | > smbpasswd file from LDAP. > | > > | > Does anyone have any suggestions as to the best way to achieve this? > | > | How will people change their passwords if you do this? > > It would have to be through some other access to LDAP. I think so. > The info I've found that throws the monkey wrench into the whole > scheme (well, apart from MS :-)) is this : > > (http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.html) > 3.3 > Note that Samba always ignores PAM for authentication in the case > of encrypt passwords = yes. The reason is that PAM modules cannot > support the challenge/response authentication mechanism needed in > the presence of SMB password encryption. > > 8.3 > ; encrypted passwords are a requirement for a PDC > ... > Encrypted passwords must be enabled. > > I found this same information in some other documents. Hmm, maybe if > I specify the passwd program correctly then the password stored in > LDAP can be updated through samba. That isn't such a big deal, IMO, > because other means can be devised (eg an authenticated web form > submission over SSL or logging in to a nicely-behaved PAM-enabled *NIX > box and using 'passwd'). Certainly if you use a web form to change passwords then you could have it update both LDAP and smbpasswd. > As it stands right now, there isn't any automated synchronization > between the windows sytstems and the unix systems. The unix systems A good point. Some synchronisation is better than none. > are semi-automated through NIS. Using LDAP would be a major > improvement. It would be less desirable, but also acceptable, if a > win box was the domain controller, as long as it can authenticate > against OpenLDAP running on a separate linux machine. I am not sure, but I think there is a Novell product that will do this for you. If you are using NT 5.0, then it would seem that Kerbobos is an option worth looking into: http://www.usenix.org/publications/login/1998-5/brundrett.html Also it is possible to replace GINA.dll to do authentication however you want. Have a look at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winlogon_and_gina_start_page.asp You *might* be able to pull the hashing code out of pam or login or whatever on your linux system and get NT talking straight to your LDAP. Tom -- Tom Cook Information Technology Services, The University of Adelaide "Beware of computer programmers that carry screwdrivers." - Leonard Brandwein Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au
Attachment:
pgpc916okfAST.pgp
Description: PGP signature