[OmniOS-discuss] LDAP external auth for CIFS service

Gordon Ross gordon.w.ross at gmail.com
Fri Aug 26 16:14:49 UTC 2016 

Sorry for the delay -- been quite busy.  I do look at this list, but
only occasionally.

The way LDAP auth. works in SMB servers like Samba is that the server
allows SMB clients (i.e. Windows) to logon using accounts that work
the same as "local" accounts (what Windows would call "local"
accounts, meaning they are NOT domain accounts).  However, while the
SMB clients think these are "local" accounts, the server uses
something akin to the name service switch functions for LDAP to get
the details of these accounts needed for SMB.

Such accounts are not really "local", but are defined in your LDAP
service.  The SMB server needs a way to get some Windows-specific
details about those accounts from LDAP, including the "NT password
hash" (for authentication) and some other Windows-ish details.

The current LDAP libraries in illumos are sufficient for this (though
for other reasons, it would be nice if we could update them some day).
What's missing is some "glue" in the name service switch design, and
perhaps a new lookup method for the "NT password hash", which is
similar conceptually to the "shadow password" back-end functions.  One
can probably pretty much copy/paste the LDAP back-end function for
shadow passwd. to make the "ntpass" or whatever we call this new
nsswitch method.  The current /var/smb/smbpasswd stuff, currently
accessed directly from libsmb should really go through the "files"
back-end, and we might want to consider taking the opportunity to
change the format of that file (though that means doing some format
conversion work during upgrades).  Once a new nsswitch method for
"ntpass" (or whatever) is in place, the parts of this in the SMB
server (mostly libsmb) are fairly easy.

Requests for this feature have come up from time to time over the last
few years, but (so far) not from anyone who wanted it badly enough to
pay for the work.

Gordon


On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald <danmcd at omniti.com> wrote:
>
>> On Aug 18, 2016, at 11:04 AM, Mick Burns <bmx1955 at gmail.com> wrote:
>>
>> *bump*
>> anyone ?
>
> I'm going to forward your note to someone I know who works on CIFS.  He's not on this list.
>
> Stay tuned,
> Dan
>
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss

More information about the OmniOS-discuss mailing list