samba simple ldap

hopbyhop · 04-07-2009, 07:15 AM

Hi all,
I searched the forums and samba docs without finding a solution.
We have Windows 2003 Active Directory server holding mail user accounts. Users manage their passwords through Exchange's Webmail application. Most users are not joined to Windows domain and have plain workgroup setup.
I would set up a Samba server with this behaviour:

Samba's share definition in smb.conf list the users allowed to access THAT share;
Users provide their username and mail (AD) password;
Samba checks if THAT user is allowed to access the share and verifies the password via Active Direectory's LDAP;
No need to change AD password from Samba, no change to made in AD LDAP structure.

In other words I would replicate what I'm doing with Apache's mod_ldap, so users can access reserved pages supplying their (mail) username and password.

Any chance to succeed in making that?

Thanks all.

archangel_617b · 04-07-2009, 12:24 PM

Quote:

Originally Posted by hopbyhop

Hi all,
I searched the forums and samba docs without finding a solution.
We have Windows 2003 Active Directory server holding mail user accounts. Users manage their passwords through Exchange's Webmail application. Most users are not joined to Windows domain and have plain workgroup setup.
I would set up a Samba server with this behaviour:

Samba's share definition in smb.conf list the users allowed to access THAT share;
Users provide their username and mail (AD) password;
Samba checks if THAT user is allowed to access the share and verifies the password via Active Direectory's LDAP;
No need to change AD password from Samba, no change to made in AD LDAP structure.

In other words I would replicate what I'm doing with Apache's mod_ldap, so users can access reserved pages supplying their (mail) username and password.

Any chance to succeed in making that?

Thanks all.

Sure. Join Samba to the Domain. Put users in groups for who has access to each share. And then restrict the various shares to the user groups you've created.

There's loads of docs for getting Samba on the domain so that should be an issue. Let us know how far you get.

- Arch

hopbyhop · 04-07-2009, 01:11 PM

Do you mean configuring samba as a "Domain member server"? So I guess I have to install kerberos too...
Furthermore, Samba server is on DMZ, while AD server is behind the firewall, in a phisically separate subnet.
I think I'll have the issue to make AD server reachable trough the netbios name.

archangel_617b · 04-07-2009, 06:05 PM

Yep. Domain member server. If you want to authenticate users against AD, you're going to have to punch some holes from the file server to your domain controllers, I don't see any way around that.

You're not really going to be able to authenticate with just plain LDAP against active directory. It will require either a lot of modification of the directory or some modification of your directory plus keeping separate password accounts for the Samba server. If you're willing to really work-over your directory, then you can treat it as a regular LDAP directory and add all the schemas you need. But no matter what, if you want to get your Samba server to auth against AD, you've got to put a couple of holes in your firewall to allow communication between the two systems.

- Arch