Re: [Samba] would like to use samba3 pdc, no ldap account backend db, but use ldap for authN
On Wed, May 16, 2012 at 08:24:11AM -0500, Jon Detert wrote: > How then does it work when using ldap as the account backend database? > Does the schema include an attribute for the LMAN hashed password? sambaLMPassword and sambaNTPassword. smbd will read those to do its job. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] would like to use samba3 pdc, no ldap account backend db, but use ldap for authN
On 05/16/12 09:24, Jon Detert wrote: > - Original Message - >> From: "Volker Lendecke" >> To: "Jon Detert" >> Cc: samba@lists.samba.org >> Sent: Wednesday, May 16, 2012 1:28:51 AM >> Subject: Re: [Samba] would like to use samba3 pdc, no ldap account backend >> db, but use ldap for authN >> >> On Tue, May 15, 2012 at 04:54:37PM -0500, Jon Detert wrote: >>> I'd like to: >>> >>> 1) use samba3 as a PDC, and >>> 2) not use LDAP as the account backend database, and >>> 3) specify samba to use but use "encrypt passwords = true", and >>> 4) use an ldap server as the authentication source for samba. >>> >>> Is that possible? > -- snip -- > >>> work-around? I don't want to add the samba schema to my >>> existing ldap server, but I do want to use my existing >>> ldap server for authN. >> No, this is not possible. Samba never sees the plain text >> password which is required for authentication via PAM. >> >> Volker > How then does it work when using ldap as the account backend database? > Does the schema include an attribute for the LMAN hashed password? LDAP has attributes for both unix and windows passwords. Since samba can reset the unix password when you change your windows password, it lets it appear to be a single password (even if both, neither, or only one system uses LDAP backend.)If you are going to use LDAP for unix authentication, the incremental effort for samba authentication isn't that much.I think it makes for a cleaner IT environment if you can consolidate your account backends. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] would like to use samba3 pdc, no ldap account backend db, but use ldap for authN
- Original Message - > From: "Volker Lendecke" > To: "Jon Detert" > Cc: samba@lists.samba.org > Sent: Wednesday, May 16, 2012 1:28:51 AM > Subject: Re: [Samba] would like to use samba3 pdc, no ldap account backend > db, but use ldap for authN > > On Tue, May 15, 2012 at 04:54:37PM -0500, Jon Detert wrote: > > I'd like to: > > > > 1) use samba3 as a PDC, and > > 2) not use LDAP as the account backend database, and > > 3) specify samba to use but use "encrypt passwords = true", and > > 4) use an ldap server as the authentication source for samba. > > > > Is that possible? -- snip -- > > work-around? I don't want to add the samba schema to my > > existing ldap server, but I do want to use my existing > > ldap server for authN. > > No, this is not possible. Samba never sees the plain text > password which is required for authentication via PAM. > > Volker How then does it work when using ldap as the account backend database? Does the schema include an attribute for the LMAN hashed password? -- Jon Detert Sr. Systems Administrator Infinity Healthcare Milwaukee, Wisconsin 414-290-6759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] would like to use samba3 pdc, no ldap account backend db, but use ldap for authN
On Tue, May 15, 2012 at 04:54:37PM -0500, Jon Detert wrote: > I'd like to: > > 1) use samba3 as a PDC, and > 2) not use LDAP as the account backend database, and > 3) specify samba to use but use "encrypt passwords = true", and > 4) use an ldap server as the authentication source for samba. > > Is that possible? > > I'd assumed it would be given that samba is pam-aware, and > I can tell pam to use ldap for authN. > > However, the man page for smb.conf seems to say no, as it > says that "obey pam restrictions = true" will be ignored > when "encrypt password" is set to true. > > Am I understanding this correctly? Is there a > work-around? I don't want to add the samba schema to my > existing ldap server, but I do want to use my existing > ldap server for authN. No, this is not possible. Samba never sees the plain text password which is required for authentication via PAM. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] would like to use samba3 pdc, no ldap account backend db, but use ldap for authN
I'd like to: 1) use samba3 as a PDC, and 2) not use LDAP as the account backend database, and 3) specify samba to use but use "encrypt passwords = true", and 4) use an ldap server as the authentication source for samba. Is that possible? I'd assumed it would be given that samba is pam-aware, and I can tell pam to use ldap for authN. However, the man page for smb.conf seems to say no, as it says that "obey pam restrictions = true" will be ignored when "encrypt password" is set to true. Am I understanding this correctly? Is there a work-around? I don't want to add the samba schema to my existing ldap server, but I do want to use my existing ldap server for authN. Thanks, -- Jon Detert Sr. Systems Administrator Infinity Healthcare Milwaukee, Wisconsin 414-290-6759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
