Hello, I am using LDAP as passdb and idmap backends with Samba 3.0.3, and have a problem with the configuration of 'ldap admin dn'. Currently, I have to set the password for this DN with 'smbpasswd -w' (which works) and Samba is doing simple LDAP binds then.
I would prefer a GSSAPI based LDAP authentication, which would have the following advantages: * the 'userPassword' attribute could be dropped (Samba is the only sevice which is requiring it); supporting this attribute beside krb5 requires some effort on the LDAP server * the authentication is passwordless; potential attackers can not hack passwords (krb tickets are limited on time and probably uninteresting for them) * it would ease configuration with 'cfengine'; executing 'smbpasswd -w<password>' is really bad since '<password>' appears for a short time in the processlist. Since the password is stored in a binary format, it can not be modified in another way. The practical usage of GSSAPI based auth would be: 1. configure a krb5 cache file (e.g. with $KRB5CCNAME, or an option in smb.conf) 2. periodically (with a cronjob) write the ticket into this file (when you are paranoid, this can happen on another machine and copied with ssh) 3. on demand, samba uses ldap_sasl_bind() instead of ldap_simple_bind() Am I missing somthing and such a setup is already supported by samba, or is it a wishlist item? Enrico -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba