On Friday 04 April 2008 20:33:29 Wes Modes wrote:
3)You can have all your user and group information (including the samba password hashes, samba group mappings etc.) in the OpenLDAP directory server.
Check. This took some doing and the help of smbldap-tools, but I got there too. I've set up the authentication connection between Samba and OpenLDAP, via smbldap-tools. It works by adding new fields to the OpenLDAP schema specific to the needs of samba. Then samba uses those OpenLDAP fields as a hashed password repository.
The challenge is that these are two methods allow Samba to authenticate via OpenLDAP and allow OpenLDAP to authenticate via Kerberos, they are really intended for different purposes.
Practically speaking (ignoring the theory, and assuming you aren't going to be running samba4), there is only one way for samba to authenticate users from OpenLDAP, and that is by reading the Samba password hashes, which allows it to do NTLM challenge response authentication. There is no other way until Samba4 (AFAIK).
Thus far, there isn't really a means for you to authenticate access from Windows clients accessing your samba server with the same credentials that they use for (1) or (2).
However, the "Active Directory Password Cache" overlay sitting in ITS may help. Instead of (1), you may rather choose to use the adpwc overlay, simple binds against the directory would first try and authenticate with the password hash stored in the userPassword attribute in-directory. If that fails, the overlay intercepts that, and tries a Kerberos authentication with the principal stored in the krbPrincipalName attribute. If this succeeds, the overlay hashes the password and stores the has in the userPassword attribute, and hashes it with a samba-compatible hash and stores the has in the sambaNTPassword attribute.
Now, authentications with the same password will not contact the KDC, and samba should be able to authenticate the user with the hash in the OpenLDAP directory.
The inconvenience here is that if the password has changed on the KDC, Samba won't get the new password until the directory server has seen a simple bind with the new password. The inconvenience could be reduced by putting in a simple web script allowing users to sync their passwords.
The password expiry aspects also need some looking at ...
There are a few new concepts here for me that I'll go away and learn something about, namely overlays. And a sneaking worry that your mention of Active Directory might ice me out of the solution since I am running Samba on RHEL.
In the context of this module, "Active Directory" really means, a KDC which you don't control, but against which you want to validate passwords before caching them for simple binds and samba in your OpenLDAP directory, and also has nothing to do with what you are running on your side ... . It works perfectly with a Unix KDC (I tested with Heimdal).
Regards, Buchan