ldap-authentication without sambaSamAccount on linux smb/cifs server (e.g. samba)

Posted by umlaeute on Server Fault See other posts from Server Fault or by umlaeute
Published on 2012-10-02T08:04:19Z Indexed on 2012/10/02 9:40 UTC
Read the original article Hit count: 239

Filed under:
|
|
|
|

i'm currently running samba-3.5.6 on a debian/wheezy host to act as the fileserver for our department's w32-clients. authentication is done via OpenLDAP, where each user-dn has an objectclass:sambaSamAccount that holds the smb-credentials and an objectclass:shadowAccount/posixAccount for "ordinary" authentication (e.g. pam, apache,...)

now we would like to dump our department's user-db, and instead use authenticate against the user-db of our upstream-organisation. these user-accounts are managed in a novell-edirectory, which i can already use to authenticate using pam (e.g. for ssh-logins; on another host). our upstream organisation provides smb/cifs based access (via some novell service) to some directories, which i can access from my linux client via smbclient.

what i currently don't manage to do is to use the upstream-ldap (the eDirectory) to authenticate our institution's samba:

i configured my samba-server to auth against the upstream ldap server:

passdb backend = ldapsam:ldaps://ldap.example.com

but when i try to authenticate a user, i get:

$ smbclient -U USER \\\\SMBSERVER\\test
Enter USER's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
tree connect failed: NT_STATUS_ACCESS_DENIED

the logfiles show:

[2012/10/02 09:53:47.692987,  0] passdb/secrets.c:350(fetch_ldap_pw)
  fetch_ldap_pw: neither ldap secret retrieved!
[2012/10/02 09:53:47.693131,  0] lib/smbldap.c:1180(smbldap_connect_system)
  ldap_connect_system: Failed to retrieve password from secrets.tdb

i see two problems i'm having:

  • i don't have any administrator password for the upstream ldap (and most likely, they won't give me one). i only want to authenticate my users, write-access is not needed at all. can i go away with that?

  • the upstream ldap does not have any samba-related attributes in the db. i was under the impression, that for samba to authenticate, those attributes are required, as smb/cifs uses some trivial hashing which is not compatible with the usual posixAccount hashes.

is there a way for my department's samba server to authenticate against such an ldap server?

© Server Fault or respective owner

Related posts about debian

Related posts about ldap