HPE Community
Operating System - HP-UX
1822168 Members
3792 Online
109640 Solutions
New Discussion юеВ

CIFS (samba 2.2.3a) +PAM(LDAP)

 
Mark De Moor
Occasional Contributor

тАО06-24-2002 05:42 AM

тАО06-24-2002 05:42 AM

CIFS (samba 2.2.3a) +PAM(LDAP)

Hi ,
I'am using cifs 9000 on HP-UX 11i (+ldap-ux) and have a few questions, i didn't find a clear answer for.

Does cifs 9000 (samba 2.2.3a) support PAM(-ldap) if using share-mode and plain-text passwords ?
Do i have to modify the pam.conf ?

The source is not included in the depot, according to the doc's it should be. Does HP provides it, or do i have to get it from samba-site, without HP's modifications then.

Is the compile-option --with-ldapsam allready supported ?

Kind regards
Mark De Moor
To LDAP or not to LDAP
0 Kudos
Reply
3 REPLIES 3
rainer doelker
Valued Contributor

тАО06-27-2002 04:22 AM

тАО06-27-2002 04:22 AM

Re: CIFS (samba 2.2.3a) +PAM(LDAP)

Hi Mark,

as ldap-ux provides hpux-user-validation against a directory server by editing the /etc/pam.conf to use the libpam-ldap.1 (I think) This follows strictly that if you choose "security = user" in smb.conf for cifs along with "encrypt passwords = no" that a password is send to the unix-passwd-mechanism.

The only disadvantage is you need to hack the registry for each NT and Win2000 client to send a plain password AND this might be a security issue as well.

BUT unfortunately this is currently the only way.

Compiling the cifs-package with other options else than the ready package would mean - no support! (It would be a too large variety of options to test)

If you go to software.hp.com you'll find a new cifs A.01.08 package including the sources. That was a packaging mistake -- sorry for this.

hope this helped.
Rainer

0 Kudos
Reply
Walter Jaeger
New Member

тАО06-27-2002 09:26 AM

тАО06-27-2002 09:26 AM

Re: CIFS (samba 2.2.3a) +PAM(LDAP)

hy Mark,
CIFS/9000 Server and LDAP-UX works together without any Problems

LDAP-UX consists of 3 parts
- NSS_LDAP
- PAM_LDAP
- NIS-LDAP-Gateway

Samba only needs an anderlaying UNIX user account which can be provided by NSS_LDAP.
NSS_LDAP provides all Authorisation Information (UID, GID, Username, ...) like NIS, but without Authentication
Config file /etc/nsswitch.conf
Check tools for LDAP-Client Config:
- pwget -n
- pwget
- listusers
- id

because Samba has a own Authentication Mechanism (smbpasswd file), you don't need the PAM_LDAP
==> no editing of /etc/pam.conf
==> smb.conf "encrypt passwords = yes"
==> no Windows Registry Hack


Yes, CIFS/9000 server supports "Plain text passwds", but there are many disadvantages like no PDC-Support.

Best regards,
Walter Jaeger
0 Kudos
Reply
Mark De Moor
Occasional Contributor

тАО07-01-2002 01:10 AM

тАО07-01-2002 01:10 AM

Re: CIFS (samba 2.2.3a) +PAM(LDAP)

Tanx Rainer & Walter,

this was already helpfull, but I'am still a little confused.
Does it mean that if using
share-mode & no encryption
cifs is not using pam-...
but uses another mechanism, and only checks the /etc/passwd file ?

Most of our users still have a "hacked reg." to use samba-shares.
I know plain-text pw's is not very safe, but we need some time to switch to encrypted pw's and then keep the unix and windows/smb pw's synchronised.
Using an Active Directory is maybe a solution, but we don't like that very much, maybe SSOD can help...we'll see.

Well I'll download the new depot, so I'll have the source and can try some options at own risk of course.

Kind regards
Mark
To LDAP or not to LDAP
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.