Re: [Samba] Samba & (anonymous) LDAP Authentication
Unix and Windows/Samba servers both store passwords in a one-way encrypted format. So when you authenticate to a server, you type in your password, the server encrypts it and compares it to the encrypted version it has it is password database.This is is important since your encrypted password data may (legitimately or not) be accessible to other people. This is a separate from any network level encryption that may be used. (For example, if you telnet into a server your password is stored in an encrypted format but the password is still transmitted in the clear.) Unix and Windows use different password encryption methods which means that they have to have different encrypted passwords stored, which means the users have to have different passwords.(Unix uses things like CRYPT or MD5.) You can have unix use the windows password via Winbindd. However to have Windows/Samba use the unix password (which is what you want) you would have to configure samba to disable the password encryption (which is what you don't want.)I am not sure the exact syntax and I am pretty sure if is strongly discouraged. As far as I know, you can not use Windows password encryption routines for the unix passwords directly. On 03/29/2010 07:16 PM, Robert Heller wrote: At Mon, 29 Mar 2010 17:38:39 -0400 gaiseric.van...@gmail.com wrote: According to how you have described your environment, whether or not you use LDAP for Samba's backend, your users will still need corresponding unix accounts AND will still have separate unix and windows passwords.If you use ldap there will be separate fields for the different passwords. If you configure password sync it should appear to the users that they have a single password. (i.e. they change the password in Windows or with smbpassword the unix password should also change.) If you really want a single password I think your options are as follows- Configure unix logons to use windbind authentication (ie. authenticate using the samba/windows password.) Use kerberos for unix and samba. But that may not resolve your concerns with Samba writing to LDAP. So if you only have one samba machine and only a few users you may still want to stick to the TDB backend for the windows account info. Samba will still match the unix name to the windows name either way. OK, it looks like that is what I am stuck with. I only *really* need one or two users -- it is only for dealing with backups and posting some files. This seems to work I will just have to live with the potiental issues of possible differing passwords if/when that happens -- it is only two usernames at present. Question: why can't samba just use UNIX's user authentication? Is this something in the way MS-Windows encrypts the password it sends over the NetBIOS protocol? Or is there some other issue going on? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba & (anonymous) LDAP Authentication
At Mon, 29 Mar 2010 17:38:39 -0400 gaiseric.van...@gmail.com wrote: > > According to how you have described your environment, whether or not you > use LDAP for Samba's backend, your users will still need corresponding > unix accounts AND will still have separate unix and windows > passwords.If you use ldap there will be separate fields for the > different passwords. If you configure password sync it should appear > to the users that they have a single password. (i.e. they change the > password in Windows or with smbpassword the unix password should also > change.) > > > If you really want a single password I think your options are as follows- > Configure unix logons to use windbind authentication (ie. > authenticate using the samba/windows password.) > Use kerberos for unix and samba. > > But that may not resolve your concerns with Samba writing to LDAP. > > > So if you only have one samba machine and only a few users you may > still want to stick to the TDB backend for the windows account info. > Samba will still match the unix name to the windows name either way. OK, it looks like that is what I am stuck with. I only *really* need one or two users -- it is only for dealing with backups and posting some files. This seems to work I will just have to live with the potiental issues of possible differing passwords if/when that happens -- it is only two usernames at present. Question: why can't samba just use UNIX's user authentication? Is this something in the way MS-Windows encrypts the password it sends over the NetBIOS protocol? Or is there some other issue going on? -- Robert Heller -- 978-544-6933 Deepwoods Software-- Download the Model Railroad System http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows hel...@deepsoft.com -- http://www.deepsoft.com/ModelRailroadSystem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba & (anonymous) LDAP Authentication
According to how you have described your environment, whether or not you use LDAP for Samba's backend, your users will still need corresponding unix accounts AND will still have separate unix and windows passwords.If you use ldap there will be separate fields for the different passwords. If you configure password sync it should appear to the users that they have a single password. (i.e. they change the password in Windows or with smbpassword the unix password should also change.) If you really want a single password I think your options are as follows- Configure unix logons to use windbind authentication (ie. authenticate using the samba/windows password.) Use kerberos for unix and samba. But that may not resolve your concerns with Samba writing to LDAP. So if you only have one samba machine and only a few users you may still want to stick to the TDB backend for the windows account info. Samba will still match the unix name to the windows name either way. # pdbedit -Lv jsmith ... Unix username:jsmith NT username: jsmith I am running LDAP backend for both unix and samba/windows accounts. Initially I was running NIS for unix passwords and TDB for samba, then I moved unix to ldap (while keeping samba in TDB) and then I moved samba to TDB. I wanted LDAP backend for everything to make it easier to support multiple Samba machines and also because I did want to consolidated account information as much as possible. You should be able to create an ldap user that has full (or a lot) of rights on a particular branch of your ldap tree.I use sun directory studio so I am not sure how this would be handled with OpenLDAP.I think Samba will still need to write things like "last logon" info to ldap. And if you have password sync Samba needs to write to the password fields. LDAP ACL's are not my strong point- I mostly copy, edit and paste existing ACL's. On 03/29/2010 04:43 PM, Robert Heller wrote: I am trying to things up to allow a *few* select users on a small number of MS-Windows boxes to write to a couple of directories on a Linux server. Most of the users on the MS-Windows boxes will only have anonymous (guest) read-only access to one directory and anonymous (guest) access to the printers. The Linux server primarily is a PXEBoot and NFS server for a group of diskless Linux workstations. I am using LDAP for user Authentication for these machines. I would *like* to have just one user authentication database (the LDAP one). The MS-Windows machines will *never* need to allow things like user creation or modification (including password changing), so Samba *should not need* the rootdn password for the LDAP server. I am having a hard time figuring out how to do this. It *seems* that Samba wants to have the rootdn password -- do I have to configure it that way? Or do I have to *duplicate* the user authentication in Samba's own user database (resulting in people having their passwords in two separate places and/or end up having two passwords for their accounts [a Linux password and a MS-Windows password])? The *best* option would be for Samba to just go though pam/nss (like everything else under Linux), but it looks like Samba no longer does things this way. I am using Samba 3.0.33-3.15.el5_4.1 on a CentOS 5.4 (32-bit) system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba & (anonymous) LDAP Authentication
I am trying to things up to allow a *few* select users on a small number of MS-Windows boxes to write to a couple of directories on a Linux server. Most of the users on the MS-Windows boxes will only have anonymous (guest) read-only access to one directory and anonymous (guest) access to the printers. The Linux server primarily is a PXEBoot and NFS server for a group of diskless Linux workstations. I am using LDAP for user Authentication for these machines. I would *like* to have just one user authentication database (the LDAP one). The MS-Windows machines will *never* need to allow things like user creation or modification (including password changing), so Samba *should not need* the rootdn password for the LDAP server. I am having a hard time figuring out how to do this. It *seems* that Samba wants to have the rootdn password -- do I have to configure it that way? Or do I have to *duplicate* the user authentication in Samba's own user database (resulting in people having their passwords in two separate places and/or end up having two passwords for their accounts [a Linux password and a MS-Windows password])? The *best* option would be for Samba to just go though pam/nss (like everything else under Linux), but it looks like Samba no longer does things this way. I am using Samba 3.0.33-3.15.el5_4.1 on a CentOS 5.4 (32-bit) system. -- Robert Heller -- 978-544-6933 Deepwoods Software-- Download the Model Railroad System http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows hel...@deepsoft.com -- http://www.deepsoft.com/ModelRailroadSystem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Anonymous LDAP Authentication
Why not create an admin user in the ldap server which only has read access to the samba attributes of the user as well as the uid and group info. Then make that user only have those privileges from the specific IP of the other samba server. Duncan Matthew Crites wrote: Hello all. I have a Samba PDC server working great already. However on another host on the network I would like to setup a Samba server that authenticates to the same LDAP server that my Samba PDC is using. However I want to do this anonymously without telling the second server the admin password for LDAP. I cannot seem to find any documentation for anonymous LDAP authentication using Samba. Do I have to give Samba the admin password just to access authentication records? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Anonymous LDAP Authentication
Hi, isn't it possible to join the server to the domain and set security to domain or server?!? Regards Stefan Matthew Crites schrieb: > Hello all. I have a Samba PDC server working great already. However > on another host on the network I would like to setup a Samba server > that authenticates to the same LDAP server that my Samba PDC is using. > However I want to do this anonymously without telling the second > server the admin password for LDAP. I cannot seem to find any > documentation for anonymous LDAP authentication using Samba. Do I > have to give Samba the admin password just to access authentication > records? > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Anonymous LDAP Authentication
Hello all. I have a Samba PDC server working great already. However on another host on the network I would like to setup a Samba server that authenticates to the same LDAP server that my Samba PDC is using. However I want to do this anonymously without telling the second server the admin password for LDAP. I cannot seem to find any documentation for anonymous LDAP authentication using Samba. Do I have to give Samba the admin password just to access authentication records? -- Thanks, Matthew Crites -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba