i'm currently running samba-3.5.6 on a debian/wheezy host to act as the fileserver for our department's w32-clients.
authentication is done via OpenLDAP, where each user-dn has an objectclass:sambaSamAccount that holds the smb-credentials and an objectclass:shadowAccount/posixAccount for "ordinary" authentication (e.g. pam, apache,...)
now we would like to dump our department's user-db, and instead use authenticate against the user-db of our upstream-organisation.
these user-accounts are managed in a novell-edirectory, which i can already use to authenticate using pam (e.g. for ssh-logins; on another host).
our upstream organisation provides smb/cifs based access (via some novell service) to some directories, which i can access from my linux client via smbclient.
what i currently don't manage to do is to use the upstream-ldap (the eDirectory) to authenticate our institution's samba:
i configured my samba-server to auth against the upstream ldap server:
passdb backend = ldapsam:ldaps://ldap.example.com
but when i try to authenticate a user, i get:
$ smbclient -U USER \\\\SMBSERVER\\test
Enter USER's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
tree connect failed: NT_STATUS_ACCESS_DENIED
the logfiles show:
[2012/10/02 09:53:47.692987, 0] passdb/secrets.c:350(fetch_ldap_pw)
fetch_ldap_pw: neither ldap secret retrieved!
[2012/10/02 09:53:47.693131, 0] lib/smbldap.c:1180(smbldap_connect_system)
ldap_connect_system: Failed to retrieve password from secrets.tdb
i see two problems i'm having:
i don't have any administrator password for the upstream ldap (and most likely, they won't give me one).
i only want to authenticate my users, write-access is not needed at all. can i go away with that?
the upstream ldap does not have any samba-related attributes in the db. i was under the impression, that for samba to authenticate, those attributes are required, as smb/cifs uses some trivial hashing which is not compatible with the usual posixAccount hashes.
is there a way for my department's samba server to authenticate against such an ldap server?