[PLUG] Samba, LDAP, and my sanity.

Wil Cooley wcooley at nakedape.cc
Mon Mar 8 19:09:01 UTC 2004


On Mon, 2004-03-08 at 18:19, Jeme A Brelin wrote:

> I started with "security = user", but then the Samba-3 How-To said that
> domain security was the way to go for "single sign on".  I figured I was
> closer to the right track before.

I don't think you really want to try for "single sign-on"; SSO is more
like Kerberos, where all the services on your network are authenticated
only once, when the user logs in to his machine.  It supposedly can be
achieved with Kerberos, but I haven't done the setup or tested enough to
know how many clients actually support the required authentication
mechanisms.

> > Exactly how are you creating users by hand?
> 
> smbldap-useradd
> 
> > What does your smb.conf look like?
> 
> Uh... it's a little long, but it's totally consistent with your wiki
> SambaLdapIntegration example.

The global section is really the only interesting thing.

> > Are your LDAP ACLs too tight?
> 
> I don't think I've configured any.

That's probably why; OpenLDAP defaults IIRC to read-only access by
anonymous (or anyone else) and read-write access to the rootdn only. 
Now that I look at my doc, I totally left off the ACL stuff, because I'd
intended to add it later in different sections for master and slave LDAP
servers.

I'm assuming you're behind a reasonably protected network and there
aren't script kiddies continuously looking for any hole to get in, so
why don't you try a wide-open ACL by setting the default access to
'write' (just add a line 'defaultaccess write' to slapd.conf) and
restart.  See if you can add a user with smbldap-add that works
afterwards; my guess is the addition fails.

> > Does does an entry created by this 'by hand' method look like (hint:
> > ldapsearch)?
> 
> I've never used ldapsearch and a cursory glance at the man page doesn't
> make a usable command line obvious.

ldapsearch -x -D <ROOTDN> -W -b <basedn> -h <ldaphost> \
objectclass=sambaSamAccount

The -x is the key part that's easy to over-look.

> I couldn't get that to work, either, though.  I am MORE than willing to
> forego LDAP in exchange for something that actually works.  (Though,
> again, the Samba-3 How-To Collection basically pushes you away from
> anything but LDAP.)

Well, it does for PDC/BDC setups, because it's the only way to do it
reliably.  Unless your setup is more complicated than I've been able to
infer, you don't need a PDC/BDC setup.  That said, I think the LDAP ACL
is probably the most immediately missing part.

Wil
-- 
Wil Cooley                                 wcooley at nakedape.cc
Naked Ape Consulting                        http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
*   Naked Ape Consulting                 http://nakedape.cc  *
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20040308/d14d344a/attachment.asc>


More information about the PLUG mailing list