Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Delegate Samba4 user authentication to an external LDAP server
748 views
Skip to first unread message
Mario Pio Russo
Mar 3, 2015, 9:57:49 AM3/3/15
to
Good Day All
first of all thank you for this mailing list, it's really great, as great
is Samba :D
I have a question regarding Samba4 and the possibility to delegate
authentication to an external LDAP server using Cyrus SASL.
Basically I have already successfully implemented an authentication
delegation from an OpenLdap server (on CentOs) to another LDAP server (on
AIX) via cyrus SASL. I've done steps similar to what described here:
http://gauvain.pocentek.net/node/42
and all worked fine.
now I want to replicate the same operation on a Samba4 AD domain (on Ubuntu
10.4). The final goal is that users on the Samba4 domain do not need a new
password for it, but they can use the one of the centralized , external
openldap (AIX). I know that Samba4 uses its own internal ldap server, which
is not OpenLdap anymore, so now I hav ethe following questions:
- has any of you ever tried something similar?
- in order to Delegate authentication from OpenLdap to LDAP, I had to
install and use a specific cycrus-sasl plugin on my CentOs server:
"cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL"; this does
not seem to be present for samba4, but only from openldap; do you know if I
still need this? is Cyrus-SASL support is already included in samba4?
according to the cyrus-SASL official web page there is no mention of
Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
- I need to change the "password" attribute of each user and make it look
similar to this {SASL}user...@externalldap.com , how can I modify that
attribute?
thanks in advance, any help is welcome!!
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariop...@ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic52094.gif)
Rowland Penny
Mar 3, 2015, 10:24:40 AM3/3/15
to
want to replace the Openldap side with Samba 4 in AD mode.
If this is the case, I do not think it will work, for one thing an AD
user does not have a 'password' attribute.
If the opposite way round then probably, but just replace 'AD side' with
'Samba4 AD side'.
You should also be aware that you can use samba4 just like samba3 i.e.
you can use Openldap instead of the internal AD ldap.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mario Pio Russo
Mar 3, 2015, 1:30:28 PM3/3/15
to
Hi Rowland
yes you got it right, I have a samba 4 installation and I'd like to
delegate the authentication to an external ldap server.
I have noticed that in samba 4 we do not have the attribute "password", so
my question is:
if I use Samba4+Openldap (as backend) and in OpenLdap I manually add the
attribute "password" to each user entry, and password as a link to SASL
{SASL}user...@externalldap.com , do you think that this would work? sorry
but I have not much knowledge of how samba stores its passwords.
thanks
yes you got it right, I have a samba 4 installation and I'd like to
delegate the authentication to an external ldap server.
I have noticed that in samba 4 we do not have the attribute "password", so
my question is:
if I use Samba4+Openldap (as backend) and in OpenLdap I manually add the
attribute "password" to each user entry, and password as a link to SASL
{SASL}user...@externalldap.com , do you think that this would work? sorry
but I have not much knowledge of how samba stores its passwords.
thanks
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariop...@ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic44721.gif)
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariop...@ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
Rowland Penny
Mar 3, 2015, 1:42:50 PM3/3/15
to
On 03/03/15 18:29, Mario Pio Russo wrote:
> Hi Rowland
>
> yes you got it right, I have a samba 4 installation and I'd like to
> delegate the authentication to an external ldap server.
> I have noticed that in samba 4 we do not have the attribute "password", so
> my question is:
>
> if I use Samba4+Openldap (as backend) and in OpenLdap I manually add the
> attribute "password" to each user entry, and password as a link to SASL
> {SASL}user...@externalldap.com , do you think that this would work? sorry
> but I have not much knowledge of how samba stores its passwords.
>
> thanks
>
OK, if you use samba 4 plus Openldap, you will not have an AD based
> Hi Rowland
>
> yes you got it right, I have a samba 4 installation and I'd like to
> delegate the authentication to an external ldap server.
> I have noticed that in samba 4 we do not have the attribute "password", so
> my question is:
>
> if I use Samba4+Openldap (as backend) and in OpenLdap I manually add the
> attribute "password" to each user entry, and password as a link to SASL
> {SASL}user...@externalldap.com , do you think that this would work? sorry
> but I have not much knowledge of how samba stores its passwords.
>
> thanks
>
system, so you will need to set it up just like a samba3 NT PDC. There
are numerous howtos out there on the web.
Now, seeing as where you are posting from, you will probably not like
this, but have you considered dumping the AIX server and going entirely
AD ? you could then probably authenticate to the samba AD DC via kerberos.
Andrew Bartlett
Mar 9, 2015, 3:53:30 AM3/9/15
to
Samba domains, not other LDAP servers or SASL, as our authentication
protocols do not disclose the plaintext password. AD and Samba domains
support pass-though mechanisms for NTLM, and we can accept Kerberos
tickets issued by Kerberos servers.'
To be an AD DC, you need to be the source of truth for passwords. I can
only suggest you arrange the reverse, that your OpenLDAP servers talk to
the Samba AD DC.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Mario Pio Russo
Mar 10, 2015, 6:47:29 AM3/10/15
to
thanks for your answer, I cannot do the reverse authentication
unfortunately. Everything has to work as I have described. Furthermore I
cannot change my external trust authority for authentication. From this
thread it looks like the only option is to use local password for the
Samba4 domain users, which add some complexity when managing IDs (and above
all passwords), as a single user might have different ids/password in the
Samba4 domain and the LDAP one.
I've read few other threads about using OplenLdap as backend of Samba4 AD
DC, seemingly there was a project to integrate OpenLdap within Samba4 AD
DC, do you know if there is any progress in that direction?
thanks
unfortunately. Everything has to work as I have described. Furthermore I
cannot change my external trust authority for authentication. From this
thread it looks like the only option is to use local password for the
Samba4 domain users, which add some complexity when managing IDs (and above
all passwords), as a single user might have different ids/password in the
Samba4 domain and the LDAP one.
I've read few other threads about using OplenLdap as backend of Samba4 AD
DC, seemingly there was a project to integrate OpenLdap within Samba4 AD
DC, do you know if there is any progress in that direction?
thanks
Andrew Bartlett
Mar 10, 2015, 2:02:38 PM3/10/15
to
On Tue, 2015-03-10 at 10:46 +0000, Mario Pio Russo wrote:
> thanks for your answer, I cannot do the reverse authentication
> unfortunately. Everything has to work as I have described. Furthermore I
> cannot change my external trust authority for authentication. From this
> thread it looks like the only option is to use local password for the
> Samba4 domain users, which add some complexity when managing IDs (and above
> all passwords), as a single user might have different ids/password in the
> Samba4 domain and the LDAP one.
>
> I've read few other threads about using OplenLdap as backend of Samba4 AD
> DC, seemingly there was a project to integrate OpenLdap within Samba4 AD
> DC, do you know if there is any progress in that direction?
Even if it were to succeed, it wouldn't help you, as it still requires
> thanks for your answer, I cannot do the reverse authentication
> unfortunately. Everything has to work as I have described. Furthermore I
> cannot change my external trust authority for authentication. From this
> thread it looks like the only option is to use local password for the
> Samba4 domain users, which add some complexity when managing IDs (and above
> all passwords), as a single user might have different ids/password in the
> Samba4 domain and the LDAP one.
>
> I've read few other threads about using OplenLdap as backend of Samba4 AD
> DC, seemingly there was a project to integrate OpenLdap within Samba4 AD
> DC, do you know if there is any progress in that direction?
Samba to hold the passwords. It is about changing the DB engine, not
the authentication model.
Sorry,
0 new messages