Thanks for all your advice so far.
First, I'll just say this is a question principally about the arcane mysteries of Samba to OpenLDAP authentication.
I've had Samba to OpenLDAP authentication running for a while now using the samba.schema and the ldapsam module. Now I'd like to understand a bit more about how that works in order to take it a step further and get openLDAP to bind against a Kerberos database via SASL.
An aside; Yes, I'd heard that Samba can be configured to authenticate against Kerberos directly, but for my own reasons, I'd prefer that Samba talk only to OpenLDAP, and OpenLDAP can do the authentication. I'll fall back on the Samba to Kerberos direct route if I can't find a way to do what I want.
I've noted that the Samba schema and smbldap-tools add to the user record two Samba specific password fields, sambaNTPassword and sambaLMPassword.
If I have the ldapsam module specified as the passdb backend in smb.conf, is OpenLDAP merely storing the samba passwords while Samba does the password comparisons? Or does OpenLDAP do the authentication and return a yes or no?
Is it possible to have Samba defer authentication to OpenLDAP? If so, I can have OpenLDAP use the {SASL} method to do authentication via kerberos.
Wes
Wes Modes wmodes@ucsc.edu writes:
Thanks for all your advice so far.
First, I'll just say this is a question principally about the arcane mysteries of Samba to OpenLDAP authentication.
I've had Samba to OpenLDAP authentication running for a while now using the samba.schema and the ldapsam module. Now I'd like to understand a bit more about how that works in order to take it a step further and get openLDAP to bind against a Kerberos database via SASL.
An aside; Yes, I'd heard that Samba can be configured to authenticate against Kerberos directly, but for my own reasons, I'd prefer that Samba talk only to OpenLDAP, and OpenLDAP can do the authentication. I'll fall back on the Samba to Kerberos direct route if I can't find a way to do what I want.
I've noted that the Samba schema and smbldap-tools add to the user record two Samba specific password fields, sambaNTPassword and sambaLMPassword.
If I have the ldapsam module specified as the passdb backend in smb.conf, is OpenLDAP merely storing the samba passwords while Samba does the password comparisons? Or does OpenLDAP do the authentication and return a yes or no?
Is it possible to have Samba defer authentication to OpenLDAP? If so, I can have OpenLDAP use the {SASL} method to do authentication via kerberos.
This is a Samba topic, not an OpenLDAP topic. Samba only can join a Windows Server KDC.
-Dieter
Wes Modes wrote:
First, I'll just say this is a question principally about the arcane mysteries of Samba to OpenLDAP authentication.
I've had Samba to OpenLDAP authentication running for a while now using the samba.schema and the ldapsam module. Now I'd like to understand a bit more about how that works in order to take it a step further and get openLDAP to bind against a Kerberos database via SASL.
An aside; Yes, I'd heard that Samba can be configured to authenticate against Kerberos directly, but for my own reasons, I'd prefer that Samba talk only to OpenLDAP, and OpenLDAP can do the authentication.
Note that you loose the security advantages of Kerberos then. What exactly are your "own reasons".
I'll fall back on the Samba to Kerberos direct route if I can't find a way to do what I want.
If the OpenLDAP user database is not your KDC database then I don't think that it works.
I've noted that the Samba schema and smbldap-tools add to the user record two Samba specific password fields, sambaNTPassword and sambaLMPassword.
Yupp. That's exactly the point. AFAIK Samba simply compares the hashed passwords and does not send a bind request on behalf of the end user.
For more details asking the folks on the samba-technical mailing list might be more helpful.
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Kluenter -
Michael Ströder -
Wes Modes