Integrating OpenLDAP and Samba

[jimnieken]

Hello all and happy holidays. I’ve been given a fun transition project, and I wanted to ask the gurus here for their insights or suggestions. I’m looking for a way to integrate OpenLDAP with Samba, so a user can authenticate through LDAP and receive access to a SMB share.

I work for a major university, and we use a combination of OpenLDAP, Kerberos and AFS to provide authentication for our Mac clients (primarily 10.4.9 and 10.4.11), plus access to roaming home directories. The backend is mostly Linux with some Solaris thrown in for flavor. We do not run OS X Server, for reasons too painful to discuss. There are no Windows servers.

Our clients break down like this. Currently, the Macs use LDAP for usernames, Kerberos for passwords, and AFS for network home directories. AFS is Kerberized, which means I can easily translate the Kerberos credentials for a user’s AFS space. On the other side, the PCs use LDAP for usernames and passwords, and access home directories via SMB. We do not run Active Directory for reasons that are also to painful to discuss. A mechanism translates between AFS and SMB for the PCs, though technically everything resides on AFS.

But, as it turns out, AFS is difficult to maintain, and our network group wants to phase it out. They are moving everything to Samba, which causes a problem for the Macs. Here’s what I’m looking at:

If I continue to use LDAP and Kerberos, there is no easy way to translate that into Samba access, because Samba 3 is not Kerberized. (As a side note, Samba 4 is supposed to be Kerberized, but that won’t be production-ready until 2010 or so.) This means users will be prompted for a password to login, and then another password to get in their Samba network directory, and then more password prompts for other shares, print servers, et cetera. Needless to say, this is a very sloppy solution.

If I use LDAP for the login, which I am inclined to do at this point, I will be using the same login and password that the Samba environment expects, and as an added bonus, the same password that the PCs use. But, I know of no way to recycle that password and pass it to the Samba process. Otherwise, I have the same issue as with Kerberos: users have to type in two passwords. But at least in the LDAP world they have to type in the same password twice. I realize this is a nasty security vulnerability, but is there a way to get the password as a variable and use that to authenticate to Samba?

Another solution would be to get LoginWindow to use Samba to authenticate. Apple does not provide a plugin to allow for this, and I know of no way to do so. The obvious answer would be to use Active Directory, but we do not run Active Directory for reasons that are (as discussed above) too painful to discuss. Is there a way to use just Samba, not Active Directory, to authenticate at the LoginWindow?

As it stands, those are the best ideas my colleagues and I have come up with. I’ve been plugging away at this for a few days now, and am getting no closer to a workable solution. Does anyone out there have experience with this, or suggestions to try? I appreciate any feedback you may have.

Jim Nieken

[jimnieken]

[QUOTE][u]Quote by: MacTroll[/u][p]Why don’t you think Samba is fully kerberized in version 3?
[/p][/QUOTE]

Hm. That’s very interesting information. I have to plead ignorance on that one, as our network group insisted that getting Samba and Kerberos to work together was literally impossible, and my department is not in a position to contradict that decree.

That being said, I am filled with a perverse delight at the prospect of showing them up and proving them wrong.

Another potentially useful resource is [url]http://www.math.gatech.edu/~dijuremo/ldap/[/url], which came up on the first page of a Google search for “Samba Kerberos LDAP”. So, while not trivial, integrating Samba and Kerberos on the back end appears to be much easier than my network group tells me. Curiouser and curiouser.

I think I’m going to pass this issue back to them, rather than wasting my time hacking together a kluge. Thanks for your help, MacTroll, even if it was just to remind me to question my assumptions.

Jim Nieken

[Author]

Posts