samba simple ldap - active directory authentication
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hi all,
I searched the forums and samba docs without finding a solution.
We have Windows 2003 Active Directory server holding mail user accounts. Users manage their passwords through Exchange's Webmail application. Most users are not joined to Windows domain and have plain workgroup setup.
I would set up a Samba server with this behaviour:
Samba's share definition in smb.conf list the users allowed to access THAT share;
Users provide their username and mail (AD) password;
Samba checks if THAT user is allowed to access the share and verifies the password via Active Direectory's LDAP;
No need to change AD password from Samba, no change to made in AD LDAP structure.
In other words I would replicate what I'm doing with Apache's mod_ldap, so users can access reserved pages supplying their (mail) username and password.
Hi all,
I searched the forums and samba docs without finding a solution.
We have Windows 2003 Active Directory server holding mail user accounts. Users manage their passwords through Exchange's Webmail application. Most users are not joined to Windows domain and have plain workgroup setup.
I would set up a Samba server with this behaviour:
Samba's share definition in smb.conf list the users allowed to access THAT share;
Users provide their username and mail (AD) password;
Samba checks if THAT user is allowed to access the share and verifies the password via Active Direectory's LDAP;
No need to change AD password from Samba, no change to made in AD LDAP structure.
In other words I would replicate what I'm doing with Apache's mod_ldap, so users can access reserved pages supplying their (mail) username and password.
Any chance to succeed in making that?
Thanks all.
Sure. Join Samba to the Domain. Put users in groups for who has access to each share. And then restrict the various shares to the user groups you've created.
There's loads of docs for getting Samba on the domain so that should be an issue. Let us know how far you get.
Do you mean configuring samba as a "Domain member server"? So I guess I have to install kerberos too...
Furthermore, Samba server is on DMZ, while AD server is behind the firewall, in a phisically separate subnet.
I think I'll have the issue to make AD server reachable trough the netbios name.
Yep. Domain member server. If you want to authenticate users against AD, you're going to have to punch some holes from the file server to your domain controllers, I don't see any way around that.
You're not really going to be able to authenticate with just plain LDAP against active directory. It will require either a lot of modification of the directory or some modification of your directory plus keeping separate password accounts for the Samba server. If you're willing to really work-over your directory, then you can treat it as a regular LDAP directory and add all the schemas you need. But no matter what, if you want to get your Samba server to auth against AD, you've got to put a couple of holes in your firewall to allow communication between the two systems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
