[Samba] Samba with LDAP Intergration - Samba

This is a discussion on [Samba] Samba with LDAP Intergration - Samba ; All, I am trying to work out if the current setup is possible: I would like to have Samba running to authenticate shares for /home directories running under FC6. All of my users are posixAccount's in an LDAP Directory. I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] Samba with LDAP Intergration

  1. [Samba] Samba with LDAP Intergration

    All,
    I am trying to work out if the current setup is possible:
    I would like to have Samba running to authenticate shares for /home
    directories running under FC6. All of my users are posixAccount's in an
    LDAP Directory.

    I would like to use this information to authenticate these shares but
    without making any changes to the LDAP Directory itself (so including no
    new objects or schema changes).

    Is there any way to do this? All my previous attempts have led to the
    Samba server doing a search on objectClass=sambaSamAccount which I of
    course would rather not have. Is it just possible to use the standard
    password attribute for authentication? Does anyone have a sample setup
    of such a situation?

    Thanks for any help and let me know if you require any further information.

    --
    James Ray.
    Computing Services
    Queen Mary, University of London
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Samba with LDAP Intergration

    On Monday, 16.04.2007 at 16:06 +0100, James Ray wrote:

    > I am trying to work out if the current setup is possible: I would like
    > to have Samba running to authenticate shares for /home directories
    > running under FC6. All of my users are posixAccount's in an LDAP
    > Directory.
    >
    > I would like to use this information to authenticate these shares but
    > without making any changes to the LDAP Directory itself (so including
    > no new objects or schema changes).
    >
    > Is there any way to do this? All my previous attempts have led to the
    > Samba server doing a search on objectClass=sambaSamAccount which I of
    > course would rather not have. Is it just possible to use the standard
    > password attribute for authentication? Does anyone have a sample setup
    > of such a situation?


    I suspect this is not possible, for the following reason. Windows
    clients don't send the plain password across the network to the Samba
    server, they send a password hash (typically the NT password hash).

    This hash has to be compared with something in order to authenticate:
    the standard LDAP userPassword hash is a different hash and so cannot be
    used. And you don't have the plain password from the client in order to
    *create* a userPassword-style hash (MD5 or crypt or whatever) to compare
    against LDAP.

    There are two options:

    1. Add the Samba schema - probably the best way;

    2. Configure all your Windows clients to send plain passwords. This is
    almost certainly a really bad idea.

    Dave.

    --
    Dave Ewart
    davee@ceu.ox.ac.uk
    Computing Manager, Cancer Epidemiology Unit
    Cancer Research UK / Oxford University
    PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
    Get key from http://www.ceu.ox.ac.uk/~davee/davee-ceu-ox-ac-uk.asc
    N 51.7518, W 1.2016

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (GNU/Linux)

    iD8DBQFGJkIrbpQs/WlN43ARAkdiAKCUXr98BBfa73iiH/Pgb6Vt7R71fACfQ2WY
    vElQtu1Pdwb75z6NHRqvoE8=
    =pZ0Y
    -----END PGP SIGNATURE-----


+ Reply to Thread