2

I'm trying to get a server set up that provides some file shares to Windows clients, and I'd like it to integrate with an existing authentication framework my school already has set up. There's a Windows LDAP server that holds info about all the students here - I'd like Samba to authenticate against that server and grant access to shares as appropriate.

I've looked around for guides, but all I've been able to find is documentation for setting up my own LDAP server for Samba to use. My situation is somewhat restricted: I don't have administrator rights on the LDAP server, and I need to use that server because I'd very much like to provide a unified login for my users (i.e. not have to have everyone maintain a separate account on this server).

I've managed to get LDAP, Kerberos, PAM, and NSS set up so that users can log in via SSH with their LDAP usernames, but I can't figure out how to get Samba to do the same. I've heard that it's bad to have Samba use PAM, as that requires disabling password encryption. Is there a way to, without admin privileges on any remote machine, set up Samba to authenticate users against a separate LDAP (or Kerberos) server? (This also means it's mostly out of the question to join the server to the Active Directory domain.)

Tim
  • 1,148
  • 1
  • 14
  • 23

3 Answers3

2

I believe it will be necessary to at least have a domain admin on the LDAP server come over to type their password at least one time to accomplish what you want and join Samba to the domain.

Given that, the steps should be relatively simple. Taken from the Samba Wiki, set the following in your samba config:

* passdb backend = ldapsam:ldap://<your-hostname>
* ldap suffix = 
* ldap admin dn

Then run smbpasswd -w to let samba know the password for the admin dn.

There is also a nice writeup here.

WerkkreW
  • 5,879
  • 3
  • 23
  • 32
  • I'd kind of like to be able to get this running without needing to join the machine to the domain - is there no other way? – Tim May 13 '09 at 19:43
  • I'm accepting this answer because it's the closest to what I'd like to do, and after more Googling I'm not sure my original setup is viable anyway - perhaps this will help others. – Tim May 15 '09 at 22:07
2

Samba needs custom attributes and objects in the LDAP tree to store the windows password hashes and additional data like password expiry. There is a samba.schema file in the samba source distribution. Debian ships it in samba-doc.

As tooling on the samba server I would recommend smbldap-tools. They provide extensive example config files, which can be easily adapted to local setups. Using them you can even enable password changing via Windows for your users.

The real problem will be the way how you create the needed password hashes. They can only be generated from the original clear-text password and have to be maintained when changing passwords.

David Schmitt
  • 2,165
  • 2
  • 15
  • 25
1

Doug Wilson has an article on authenticating a samba client with kerberos and Active Directory here

sclarson
  • 3,624
  • 21
  • 20