[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC [Samba/NIS + LDAP]



On Mon, 12 Nov 2001, Will Sarka wrote:

> Greetings,
>
> I am an OpenLDAP newbie, and have been doing some cursory examination of
> what might be possible with unifying authentication for my Linux and
> Windows boxes.  I understand Samba can use NIS as a basis of
> authentication, and than the nss_ldap modules allows NIS lookups to be
> done against a LDAP directory.  I currently have no windows servers
> (only a workgroup that I inherented), and am considering using the Samba
> 2.2.x codebase to implement a PDC/Domain with a LDAP backend that
> understands NIS (via the nis schema, from what I gather).  Has anyone
> done anything like this?  Any pitfalls?  Howtos?  URLs? :-)

I am working pretty much the same thing and I am making good progress.

Recent versions af Samba 2.2 can authenticate directly against an LDAP
server. What you need is:

* Some knowledge on the basics of LDAP principles and how to set up a
  server and namespace. There are pretty good books and some howtos on the
  net.

* For basic management of users and groups for Unix/NIS and Samba in LDAP
  you will at least need the posixAccount posixGroup object classes
  defined in nis.schema and the sambaAccont object class in samba.conf
  (comes with the Samba distribution).

* Tools to manage the entrys for your accounts. As you will need to
  generate both Unix and Windows password hashes you will also probably
  want to keep them synchronized. I am cooking my own tools to do this
  just for the fun of it.

* Pitfalls... Access control is fundamental, especially for the Windows
  password hashes. You don't want these hashes to get sniffed from the
  network either so use LDAPS (LDAP with SSL/TLS) whenever possible. By
  the way: Can you set an ACL that allows a user to fetch an attribute
  when using an SSL connection but not otherwise? Also, if you use Samba
  and have any kind of debugging enabled the same hashes wind up in Sambas
  log file.

I have not yet set up a full PDC, but my test Samba server does the
authentication stuff very well.

If anyone is interested I can probably publish the stuff I have coded so
far. I probably should clean it up a bit first. Beware though - it is all
written in Pike, a C-like interpreter language that is _perfect_ for
making little LDAP gizmos among other things. (Sorry, I couldn't resist).

/Erik

-- 
Erik Persson, System Manager            <erik@roxen.com>
Roxen Internet Software                 Voice:  +46 13 376817