ldap-authentication without sambaSamAccount on linux smb/cifs server (e.g. samba)
You need to set an ldap password in samba. (E.G. if your admindn is for the user admin)
smbpasswd -w admin
Related videos on Youtube
umläute
media-artist, open-source developer, system administrator and phd-student (phew!)
Updated on September 18, 2022Comments
-
umläute almost 2 years
i'm currently running samba-3.5.6 on a debian/wheezy host to act as the fileserver for our department's w32-clients. authentication is done via OpenLDAP, where each user-dn has an objectclass:sambaSamAccount that holds the smb-credentials and an objectclass:shadowAccount/posixAccount for "ordinary" authentication (e.g. pam, apache,...)
now we would like to dump our department's user-db, and instead use authenticate against the user-db of our upstream-organisation. these user-accounts are managed in a novell-edirectory, which i can already use to authenticate using pam (e.g. for ssh-logins; on another host). our upstream organisation provides smb/cifs based access (via some novell service) to some directories, which i can access from my linux client via
smbclient
.what i currently don't manage to do is to use the upstream-ldap (the eDirectory) to authenticate our institution's samba:
i configured my samba-server to auth against the upstream ldap server:
passdb backend = ldapsam:ldaps://ldap.example.com
but when i try to authenticate a user, i get:
$ smbclient -U USER \\\\SMBSERVER\\test Enter USER's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] tree connect failed: NT_STATUS_ACCESS_DENIED
the logfiles show:
[2012/10/02 09:53:47.692987, 0] passdb/secrets.c:350(fetch_ldap_pw) fetch_ldap_pw: neither ldap secret retrieved! [2012/10/02 09:53:47.693131, 0] lib/smbldap.c:1180(smbldap_connect_system) ldap_connect_system: Failed to retrieve password from secrets.tdb
i see two problems i'm having:
i don't have any administrator password for the upstream ldap (and most likely, they won't give me one). i only want to authenticate my users, write-access is not needed at all. can i go away with that?
the upstream ldap does not have any samba-related attributes in the db. i was under the impression, that for samba to authenticate, those attributes are required, as smb/cifs uses some trivial hashing which is not compatible with the usual posixAccount hashes.
is there a way for my department's samba server to authenticate against such an ldap server?