Re: [Samba] Samba4 as a "plain LDAP" server?
On Tue, 2010-03-16 at 16:42 +, SMC wrote: > On Monday 15 March 2010 22:42:41 Mike wrote: > > I may well be insane, but as soon as I read your question, I thought > > "how novel" and now want to find out the answer, myself. > > Well, not necessarily novel if I reword my question as "Would I still have to > maintain two separate authentication databases if I want to use Samba4 with > some non-Microsoft clients that don't have Samba installed?" > > For example, can Samba4 work with mail or web servers that can authenticate > via "LDAP", or simple Linux workstations that I don't necessarily want to > implement and maintain full-scale "ActiveDirectory(tm)"-mode authentication > for? Simple 'LDAP authentication' (doing a simple bind) is supported, just as it in AD. > I haven't found any documentation so far that indicates either way whether > this works. For obvious reasons, the existing Samba4 documentation seems to > be almost exclusively about controlling Microsoft Windows clients. What works or not really depends on what the client is expecting the LDAP server to contain. We can't display a posix-like view, because the clients we have expect an AD like view. > If it's a case of "it SHOULD work but nobody's tested it yet", I'd be quite > willing to help with the testing... Development and exploration of way we can maintain the best of both worlds is wanted. We have to be an AD server first, but I'm open to ideas for how we can be better as well. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as a "plain LDAP" server?
On Wed, 2010-03-17 at 13:40 +0800, David Adam wrote: > On Tue, 16 Mar 2010, SMC wrote: > > On Monday 15 March 2010 22:42:41 Mike wrote: > > > I may well be insane, but as soon as I read your question, I thought > > > "how novel" and now want to find out the answer, myself. > > > > Well, not necessarily novel if I reword my question as "Would I still have > > to > > maintain two separate authentication databases if I want to use Samba4 with > > some non-Microsoft clients that don't have Samba installed?" > > > > For example, can Samba4 work with mail or web servers that can authenticate > > via "LDAP", or simple Linux workstations that I don't necessarily want to > > implement and maintain full-scale "ActiveDirectory(tm)"-mode authentication > > for? > > > > The need to maintain two separate authentication databases has been my > > biggest > > annoyance with Samba (I realize this isn't the fault of Samba but rather a > > consequence of Microsoft's "special" password-hashing method). That means > > if you don't use Samba every time you change your password, you end up with > > your normal password and your Windows/Samba password out of sync. > > We use the smbk5pwd overlay for OpenLDAP to solve this problem - when you > change your password using 'passwd' on a Linux machine or on a Windows > machine, all password entries are updated. I have to say that smbk5pwd and the hooks I added to Samba to make this work have been a great stopgap for the past few years. (I also wrote the original extensions to Heimdal to have it read the sambaNTPassword attribute, and the other Samba flags. ) With Samba4, the restrictions we have in the AD design (much closer integration with the KDC and LDAP server) have meant that these parts must now be under Samba4's control. I hope this clarifies things, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as a "plain LDAP" server?
On Mon, 2010-03-15 at 21:12 +, SMC wrote: > This is probably an insane question, but I'm going to ask it anyway... > > Does Samba4's embedded LDAP server also support being used as an ordinary > (*nix-style) LDAP authentication server, at least for simple, basic use cases? > > Or is it necessary to have the OpenLDAP backend running to handle normal LDAP > authentication? Actually, it's neither. The OpenLDAP backend of Samba4 is not generally exposed, nor are the unix attributes currently set. We do support the uidNumber attributes etc, but only in that we load a schema that should allow them to be set. We don't currently set those values when users are created, nor do we use them for Samba4's internal idmap. The best option at this time is to run Samba3's winbind against Samba4. This ensures that all recursive groups are handled correctly, and that Kerberos is used for authentication. I do want Samba4 to be a good LDAP server for POSIX clients, and I hope to make it better than AD is by supporting extensions such as the 'password set/change' extended operation. However, we must first be a good AD domain controller, and we can't enable behaviours that are in conflict with being an AD DC. For example, we will soon enable ACL support that will block anonymous access to our directory - while most POSIX clients prefer anonymous searches. I hope this clarifies things, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as a "plain LDAP" server?
On Tue, 16 Mar 2010, SMC wrote: > On Monday 15 March 2010 22:42:41 Mike wrote: > > I may well be insane, but as soon as I read your question, I thought > > "how novel" and now want to find out the answer, myself. > > Well, not necessarily novel if I reword my question as "Would I still have to > maintain two separate authentication databases if I want to use Samba4 with > some non-Microsoft clients that don't have Samba installed?" > > For example, can Samba4 work with mail or web servers that can authenticate > via "LDAP", or simple Linux workstations that I don't necessarily want to > implement and maintain full-scale "ActiveDirectory(tm)"-mode authentication > for? > > The need to maintain two separate authentication databases has been my biggest > annoyance with Samba (I realize this isn't the fault of Samba but rather a > consequence of Microsoft's "special" password-hashing method). That means > if you don't use Samba every time you change your password, you end up with > your normal password and your Windows/Samba password out of sync. We use the smbk5pwd overlay for OpenLDAP to solve this problem - when you change your password using 'passwd' on a Linux machine or on a Windows machine, all password entries are updated. One of my colleagues has written some basic documentation as part of his overarching guide to LDAP: http://wiki.ucc.asn.au/LDAP/LazySysadmin#smbk5pwd I would be happy to answer questions about our setup. We seem to have almost perfected the One True Password system across our range of Linux, FreeBSD, Mac OS X, Windows and miscellaneous boxes. David Adam University Computer Club -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as a "plain LDAP" server?
On Monday 15 March 2010 22:42:41 Mike wrote: > I may well be insane, but as soon as I read your question, I thought > "how novel" and now want to find out the answer, myself. Well, not necessarily novel if I reword my question as "Would I still have to maintain two separate authentication databases if I want to use Samba4 with some non-Microsoft clients that don't have Samba installed?" For example, can Samba4 work with mail or web servers that can authenticate via "LDAP", or simple Linux workstations that I don't necessarily want to implement and maintain full-scale "ActiveDirectory(tm)"-mode authentication for? The need to maintain two separate authentication databases has been my biggest annoyance with Samba (I realize this isn't the fault of Samba but rather a consequence of Microsoft's "special" password-hashing method). That means if you don't use Samba every time you change your password, you end up with your normal password and your Windows/Samba password out of sync. If Samba4's internal LDAP server also handles basic POSIX account attributes, then using Samba4 as the "LDAP authentication server" for everything finally solves that problem (doesn't it?). Otherwise, the only option would be using the OpenLDAP backend and we're back to maintaining two separate sets of authentication data and requiring Samba on the clients for any password changes. I haven't found any documentation so far that indicates either way whether this works. For obvious reasons, the existing Samba4 documentation seems to be almost exclusively about controlling Microsoft Windows clients. If it's a case of "it SHOULD work but nobody's tested it yet", I'd be quite willing to help with the testing... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as a "plain LDAP" server?
I may well be insane, but as soon as I read your question, I thought "how novel" and now want to find out the answer, myself. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 as a "plain LDAP" server?
This is probably an insane question, but I'm going to ask it anyway... Does Samba4's embedded LDAP server also support being used as an ordinary (*nix-style) LDAP authentication server, at least for simple, basic use cases? Or is it necessary to have the OpenLDAP backend running to handle normal LDAP authentication? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba