On Mon, 2003-10-27 at 14:25, Chuck Stuettgen wrote: > On Sun, 2003-10-26 at 00:32, Andrew Bartlett wrote: > > > > The exciting news is; I have Samba+e-Directory authentication working! > > > > Not really... > > > > > > > > encrypt passwords = no > > > > That really doesn't count as 'working'. Working would be actually using > > ldapsam against edirectory. We have bugs out against that, it appears > > that (at least certain versions of) edirectory does not follow the > > relevant RFCs. > > > How does not using encrypted passwords support your assertion that Samba > is not using eDirectory for authentication?
I did not make that assertion. I however do assert that any solution that relies on plaintext passwords is flawed, insecure and buggy. There are a large number of know issues (starting with the need to patch the clients, but much worse than that) with plaintext CIFS authentication. Fundamentally, it is untested by Microsoft, with all that implies. > The facts are: > > 1. Until I recompiled Samba to include the -with-ldapsam option I was > not able to connect to the Samba shares. I'm not sure where this fits in, but the point is moot. > 2. There are no local user accounts contained in either the Linux passwd > file or the Samba smbusers file. > 3. Windows clients are using their Novell user id's and passwords when > authenticating to the Samba shares. > 4. With the appropriate pam_mkhomedir.so commands in /etc/pam.d/samba, > the users home directory is automatically created the first time the > user connects to the Samba server, and the user has full rights the > directory. > 5. I can provide DSTRACE LDAP log files that clearly show the > authentication process. > > > There obviously is an issue with using encrypted passwords with Samba > and eDirectory. But, given the above facts, I can not honestly see how > you can say that Samba is not using eDirectory for authentication. I am warning other users that that solution you suggest is not stable, reliable nor long-term functional. It requires explicitly disabling Microsoft's own security policies, and cannot be used in a PDC setting. > If I am wrong, please enlighten me. > > > > https://bugzilla.samba.org/show_bug.cgi?id=330 > > > > Looking at this bug, the resolution is listed as "WONTFIX". Does this > mean there are no plans to work with Novell on Samba/eDirectory support? We are waiting for Novell to fix their product. There is little we can do until they do that. (We rely on certain RFC-specified behaviour in order to perform certain atomic updates). > BTW I am using eDirectory 8.71 running on a NetWare 6.0 SP3 server. > > Finally, > > In case this post does not come across in the spirit that it is > intended, please be aware that it is not meant to be combative in > anyway. My ONLY goal is to use Samba in an eDirectory environment and > contribute back to the Samba community my experiences in doing so. > > So far I have successfully setup two Samba servers and I am in the > process of documenting the procedure. I will post the completed > document on my website when I am satisfied that anyone can follow it. I wish you luck, but strongly warn you to keep a very close eye on your system's stability, particularly in relation to network drop-outs. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
