[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: authenticate from LDAP (samba PDC)

On  0, dman <dman@dman.ddts.net> wrote:
> On Tue, May 28, 2002 at 10:59:11AM +0930, Tom Cook wrote:
> | On  0, dman <dman@dman.ddts.net> wrote:
> | > 
> | > We're trying to move from lots of duplicate authentication data on
> | > different systems to having a single unified sign-on source by using
> | > LDAP.  I managed to get login and sshd to authentiate against an ldap
> | > server through pam.  It's cool and quite simple as well.
> | > 
> | > Now I want to make samba be the PDC for the windows machines and have
> | > it authenticate against the LDAP server as well.  The docs I've read
> | > seem to indicate that samba and pam don't play together that well.
> | > The only solution I can think of is to periodically rebuild the
> | > smbpasswd file from LDAP.
> | > 
> | > Does anyone have any suggestions as to the best way to achieve this?  
> | 
> | How will people change their passwords if you do this?
> It would have to be through some other access to LDAP.

I think so.

> The info I've found that throws the monkey wrench into the whole
> scheme (well, apart from MS :-)) is this :
> (http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.html)
>  3.3
>     Note that Samba always ignores PAM for authentication in the case
>     of encrypt passwords = yes. The reason is that PAM modules cannot
>     support the challenge/response authentication mechanism needed in
>     the presence of SMB password encryption. 
>  8.3
>     ; encrypted passwords are a requirement for a PDC
>      ...
>     Encrypted passwords must be enabled.
> I found this same information in some other documents.  Hmm, maybe if
> I specify the passwd program correctly then the password stored in
> LDAP can be updated through samba.  That isn't such a big deal, IMO,
> because other means can be devised (eg an authenticated web form
> submission over SSL or logging in to a nicely-behaved PAM-enabled *NIX
> box and using 'passwd').

Certainly if you use a web form to change passwords then you could
have it update both LDAP and smbpasswd.

> As it stands right now, there isn't any automated synchronization
> between the windows sytstems and the unix systems.  The unix systems

A good point.  Some synchronisation is better than none.

> are semi-automated through NIS.  Using LDAP would be a major
> improvement.  It would be less desirable, but also acceptable, if a
> win box was the domain controller, as long as it can authenticate
> against OpenLDAP running on a separate linux machine.

I am not sure, but I think there is a Novell product that will do this
for you.

If you are using NT 5.0, then it would seem that Kerbobos is an option
worth looking into:


Also it is possible to replace GINA.dll to do authentication however
you want.  Have a look at:


You *might* be able to pull the hashing code out of pam or login or
whatever on your linux system and get NT talking straight to your

Tom Cook
Information Technology Services, The University of Adelaide

"Beware of computer programmers that carry screwdrivers."
	- Leonard Brandwein

Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au

Attachment: pgp9oi0OpDnIx.pgp
Description: PGP signature

Reply to: