Re: authenticate from LDAP (samba PDC)
On 0, dman [EMAIL PROTECTED] wrote: On Tue, May 28, 2002 at 10:59:11AM +0930, Tom Cook wrote: | On 0, dman [EMAIL PROTECTED] wrote: | | We're trying to move from lots of duplicate authentication data on | different systems to having a single unified sign-on source by using | LDAP. I managed to get login and sshd to authentiate against an ldap | server through pam. It's cool and quite simple as well. | | Now I want to make samba be the PDC for the windows machines and have | it authenticate against the LDAP server as well. The docs I've read | seem to indicate that samba and pam don't play together that well. | The only solution I can think of is to periodically rebuild the | smbpasswd file from LDAP. | | Does anyone have any suggestions as to the best way to achieve this? | | How will people change their passwords if you do this? It would have to be through some other access to LDAP. I think so. The info I've found that throws the monkey wrench into the whole scheme (well, apart from MS :-)) is this : (http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.html) 3.3 Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. 8.3 ; encrypted passwords are a requirement for a PDC ... Encrypted passwords must be enabled. I found this same information in some other documents. Hmm, maybe if I specify the passwd program correctly then the password stored in LDAP can be updated through samba. That isn't such a big deal, IMO, because other means can be devised (eg an authenticated web form submission over SSL or logging in to a nicely-behaved PAM-enabled *NIX box and using 'passwd'). Certainly if you use a web form to change passwords then you could have it update both LDAP and smbpasswd. As it stands right now, there isn't any automated synchronization between the windows sytstems and the unix systems. The unix systems A good point. Some synchronisation is better than none. are semi-automated through NIS. Using LDAP would be a major improvement. It would be less desirable, but also acceptable, if a win box was the domain controller, as long as it can authenticate against OpenLDAP running on a separate linux machine. I am not sure, but I think there is a Novell product that will do this for you. If you are using NT 5.0, then it would seem that Kerbobos is an option worth looking into: http://www.usenix.org/publications/login/1998-5/brundrett.html Also it is possible to replace GINA.dll to do authentication however you want. Have a look at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winlogon_and_gina_start_page.asp You *might* be able to pull the hashing code out of pam or login or whatever on your linux system and get NT talking straight to your LDAP. Tom -- Tom Cook Information Technology Services, The University of Adelaide Beware of computer programmers that carry screwdrivers. - Leonard Brandwein Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au pgpIX9axW9UdO.pgp Description: PGP signature
Re: authenticate from LDAP (samba PDC)
On Mon, May 27, 2002 at 02:38:04PM -0500, dman wrote: Now I want to make samba be the PDC for the windows machines and have it authenticate against the LDAP server as well. The docs I've read seem to indicate that samba and pam don't play together that well. The only solution I can think of is to periodically rebuild the smbpasswd file from LDAP. samba.idealx.org. The samba-LDAP PDC HOWTO :-) -- Danie Roux *shuffle* Adore Unix -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: authenticate from LDAP (samba PDC)
Begin Tom Cook quotation: I found this same information in some other documents. Hmm, maybe if I specify the passwd program correctly then the password stored in LDAP can be updated through samba. That isn't such a big deal, IMO, because other means can be devised (eg an authenticated web form submission over SSL or logging in to a nicely-behaved PAM-enabled *NIX box and using 'passwd'). Certainly if you use a web form to change passwords then you could have it update both LDAP and smbpasswd. As it stands right now, there isn't any automated synchronization between the windows sytstems and the unix systems. The unix systems A good point. Some synchronisation is better than none. I've got this sort of setup working, with /etc/pam.d/passwd: password required pam_ldap.so and the samba password synchronisation: passwd chat = *New\spassword:* %n\n *Re-enter\snew\spassword:* %n\n.* . and then people change their passwords using 'smbpasswd', or the little button change password on the NT boxes (which simply runs smbpasswd.) This does the trick. We've also got a nice web password-changing script, but that simply passes its arguments to smbpasswd, so it goes through the above procedure anyway. It's a little ugly, in that everything on the linux box authenticates off ldap through pam except for samba, but it works. Martin -- pgp public key at http://ocsc.ormond.unimelb.edu.au/~mstrauss/pgp_key.asc or send email with subject: request key -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/E/MU d? s: a--- C UL+$ P++ L++(+++) E--- W+++ N+++ o+ K? w--- O- M-- V- PS+++ PE Y++ PGP+++ t- 5- X- R+++ !tv b DI+++ D+(+++) G e* h++ r++ y+ --END GEEK CODE BLOCK-- pgpIY8GuamLRl.pgp Description: PGP signature
Re: authenticate from LDAP (samba PDC)
On Tue, May 28, 2002 at 02:15:10PM +0930, Tom Cook wrote: Also it is possible to replace GINA.dll to do authentication however you want. Have a look at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winlogon_and_gina_start_page.asp You *might* be able to pull the hashing code out of pam or login or whatever on your linux system and get NT talking straight to your LDAP. Which reminds me: http://pgina.cs.plu.edu/ Exactly such a replacement. GPL'ed too. -- Danie Roux *shuffle* Adore Unix -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: authenticate from LDAP (samba PDC)
On Tue, May 28, 2002 at 07:53:42AM +0200, Danie Roux wrote: | On Mon, May 27, 2002 at 02:38:04PM -0500, dman wrote: | Now I want to make samba be the PDC for the windows machines and have | it authenticate against the LDAP server as well. The docs I've read | seem to indicate that samba and pam don't play together that well. | The only solution I can think of is to periodically rebuild the | smbpasswd file from LDAP. | | samba.idealx.org. | | The samba-LDAP PDC HOWTO :-) I hadn't found any docs you guys sent me. Thanks! I'll be sure and read through them and find the best alternative. -D -- The righteous hate what is false, but the wicked bring shame and disgrace. Proverbs 13:5 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg pgpBWXVwcxWfh.pgp Description: PGP signature
authenticate from LDAP (samba PDC)
We're trying to move from lots of duplicate authentication data on different systems to having a single unified sign-on source by using LDAP. I managed to get login and sshd to authentiate against an ldap server through pam. It's cool and quite simple as well. Now I want to make samba be the PDC for the windows machines and have it authenticate against the LDAP server as well. The docs I've read seem to indicate that samba and pam don't play together that well. The only solution I can think of is to periodically rebuild the smbpasswd file from LDAP. Does anyone have any suggestions as to the best way to achieve this? TIA, -D -- How to shoot yourself in the foot with Java: You find that Microsoft and Sun have released incompatible class libraries both implementing Gun objects. You then find that although there are plenty of feet objects implemented in the past in many other languages, you cannot get access to one. But seeing as Java is so cool, you don't care and go around shooting anything else you can find. (written by Mark Hammond) GnuPG key : http://dman.ddts.net/~dman/public_key.gpg pgpFvoZMh972A.pgp Description: PGP signature
Re: authenticate from LDAP (samba PDC)
On 0, dman [EMAIL PROTECTED] wrote: We're trying to move from lots of duplicate authentication data on different systems to having a single unified sign-on source by using LDAP. I managed to get login and sshd to authentiate against an ldap server through pam. It's cool and quite simple as well. Now I want to make samba be the PDC for the windows machines and have it authenticate against the LDAP server as well. The docs I've read seem to indicate that samba and pam don't play together that well. The only solution I can think of is to periodically rebuild the smbpasswd file from LDAP. Does anyone have any suggestions as to the best way to achieve this? How will people change their passwords if you do this? Tom -- Tom Cook Information Technology Services, The University of Adelaide There are few things more satisfying than seeing your children have teenagers of their own. - Doug Larson Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au pgptV1BxcjQiQ.pgp Description: PGP signature
Re: authenticate from LDAP (samba PDC)
On Tue, May 28, 2002 at 10:59:11AM +0930, Tom Cook wrote: | On 0, dman [EMAIL PROTECTED] wrote: | | We're trying to move from lots of duplicate authentication data on | different systems to having a single unified sign-on source by using | LDAP. I managed to get login and sshd to authentiate against an ldap | server through pam. It's cool and quite simple as well. | | Now I want to make samba be the PDC for the windows machines and have | it authenticate against the LDAP server as well. The docs I've read | seem to indicate that samba and pam don't play together that well. | The only solution I can think of is to periodically rebuild the | smbpasswd file from LDAP. | | Does anyone have any suggestions as to the best way to achieve this? | | How will people change their passwords if you do this? It would have to be through some other access to LDAP. The info I've found that throws the monkey wrench into the whole scheme (well, apart from MS :-)) is this : (http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.html) 3.3 Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. 8.3 ; encrypted passwords are a requirement for a PDC ... Encrypted passwords must be enabled. I found this same information in some other documents. Hmm, maybe if I specify the passwd program correctly then the password stored in LDAP can be updated through samba. That isn't such a big deal, IMO, because other means can be devised (eg an authenticated web form submission over SSL or logging in to a nicely-behaved PAM-enabled *NIX box and using 'passwd'). As it stands right now, there isn't any automated synchronization between the windows sytstems and the unix systems. The unix systems are semi-automated through NIS. Using LDAP would be a major improvement. It would be less desirable, but also acceptable, if a win box was the domain controller, as long as it can authenticate against OpenLDAP running on a separate linux machine. -D -- The teaching of the wise is a fountain of life, turning a man from the snares of death. Proverbs 13:14 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg pgp9VUkiodfzP.pgp Description: PGP signature