Ubuntu

Read only ldap authentication for Samba

Asked by Ubuntu User

We have a Sun One Directory server on our network that holds our user records. I would like to set up Samba so that it uses this server for its authentication.

It seems like I should be able to do this, but every example I see on the web seems to require putting the directory manager password in some of the conf files for samba and the requisite pam conf files. I don't have this information and doubt I would get it from the administrators.

I just want to allow users in the ldap to use the samba server.

Is there an easy way to allow read only (users can't change their ldap settings or passwords) authentication via ldap for samba?

I have been banging my head against this for a day or so and thought I would turn it over to the community to see if they can offer some help or point me to some good resources.

Thanks in advance.

Jim

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Lionel Porcheron
Solved:
Last query:
Last reply:
Revision history for this message
Lionel Porcheron (lionel.porcheron) said : 		#1

Hi Jim,

You are right that most of the examples that are available on the Internet for Samba-LDAP use directory administrator credentials. That is not necessary ! You can user another user with sufficient credentials. Sufficient credential would be to have read access to all samba* attributes in directory. Attributes sambaNTpassword and sambaLMpassword should ne be world readable (so an anonymous access is not advised).

Revision history for this message
Ubuntu User (anotherubuntuuser) said : 		#2

Thanks, Lionel-

I can't add a sambaNTpassword attribute or sambaLMpassword attribute. I just want them to use the username and password that are already in the Sun LDAP to authenticate against.

If samba sees them in the LDAP, and their password is valid, I want to let them login. If it doesn't, I want to deny access.

I appreciated your prompt reply. I am used to being on the other side offering help instead of needing it.

Jim Jones

Revision history for this message
davee (davee-sungate) said : 		#3

Unfortunately it's not that simple, Jim.

If you are authenticating Windows clients, then normally the authentication is against the samba(NT|LM)Password attribute, simply because that's what the Windows client *sends* to the Samba server, i.e. Windows 98 and more recent all use encrypted passwords by default and the Samba server receives either the LM hash or the NT hash of the password. The password hashing is done on the Windows client.

The Samba server doesn't have the plaintext password to send to LDAP, and therefore cannot bind against the userPassword attribute. This is also why Samba can't try to bind as the *user*, since it doesn't have the password: Samba needs to bind as another LDAP entity.

Revision history for this message
Lionel Porcheron (lionel.porcheron) said : 		#4

If you can not add samba LDAP scheme to your LDAP, you wan use pam on your samba server to authenticate your clients on the LDAP directory. Note that means that you need to use clear password and as a result to patch *all* workstations that will connect to your Samba (in order to make them send the password in clear not the hash as davee explained).

Revision history for this message
Ubuntu User (anotherubuntuuser) said : 		#5

Lionel-

Thanks so much again. You have been very helpful and informative. It looks like we may need to try something else, possibly.

I appreciate your patience in introducing me to the complexities of samba and ldap, it has been much appreciated.