ldap-authentication without sambaSamAccount on linux smb/cifs server (e.g. samba)

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by umlaeute on Server Fault See other posts from Server Fault or by umlaeute
Published on 2012-10-02T08:04:19Z Indexed on 2012/10/02 9:40 UTC
Read the original article Hit count: 237

Filed under:
|
|
|
|

i'm currently running samba-3.5.6 on a debian/wheezy host to act as the fileserver for our department's w32-clients. authentication is done via OpenLDAP, where each user-dn has an objectclass:sambaSamAccount that holds the smb-credentials and an objectclass:shadowAccount/posixAccount for "ordinary" authentication (e.g. pam, apache,...)

now we would like to dump our department's user-db, and instead use authenticate against the user-db of our upstream-organisation. these user-accounts are managed in a novell-edirectory, which i can already use to authenticate using pam (e.g. for ssh-logins; on another host). our upstream organisation provides smb/cifs based access (via some novell service) to some directories, which i can access from my linux client via smbclient.

what i currently don't manage to do is to use the upstream-ldap (the eDirectory) to authenticate our institution's samba:

i configured my samba-server to auth against the upstream ldap server:

passdb backend = ldapsam:ldaps://ldap.example.com

but when i try to authenticate a user, i get:

$ smbclient -U USER \\\\SMBSERVER\\test
Enter USER's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
tree connect failed: NT_STATUS_ACCESS_DENIED

the logfiles show:

[2012/10/02 09:53:47.692987,  0] passdb/secrets.c:350(fetch_ldap_pw)
  fetch_ldap_pw: neither ldap secret retrieved!
[2012/10/02 09:53:47.693131,  0] lib/smbldap.c:1180(smbldap_connect_system)
  ldap_connect_system: Failed to retrieve password from secrets.tdb

i see two problems i'm having:

  • i don't have any administrator password for the upstream ldap (and most likely, they won't give me one). i only want to authenticate my users, write-access is not needed at all. can i go away with that?

  • the upstream ldap does not have any samba-related attributes in the db. i was under the impression, that for samba to authenticate, those attributes are required, as smb/cifs uses some trivial hashing which is not compatible with the usual posixAccount hashes.

is there a way for my department's samba server to authenticate against such an ldap server?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about debian

Related posts about ldap

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle