Saturday, June 23, 2018

samba - Using Samba4 with OpenLDAP on the same server to authenticate Windows clients accounts



I already have OpenLDAP directory with some services doing the authentication against it (OpenVPN, Jabber, Freeradius, redmine, etc...).
And What I still need to do is to make my server a domain controller to allow Windows clients to login to Windows using the same username and password as the other services on my server.




I installed Samba4 and set it up as DC, but the problem was, that Samba4 has its built in LDAP server, and therefore I was not able to run OpenLDAP (slapd) service at the same time with Samba (because they use the same port).



Could anybody help me to get that to work? (WITHOUT changing OpenLDAP port, and with NO pGina).



So in summery, what I want to do is:
Getting Samba4 domain controller and OpenLDAP to run on the same server, and make Samba4 authenticate against that OpenLDAP to allow Windows users to login in to Windows using the username and password from my previus created OpenLDAP directory.



I really appreciate any help, I spent more than a week searching with no success).


Answer




You cannot do that. First, none of the authentication methods Windows uses – neither modern Kerberos nor older NTLM – can be used with whatever hashed passwords you have stored on OpenLDAP. Even though Samba 3 could OpenLDAP as its backend, it still required storing NTLM-compatible password hashes separately from the regular userPassword. Linux pam_ldap might be happy with just sending the raw password to the server for verification; Windows doesn't do that.



Second, Active Directory is more than just authentication – even a real Kerberos KDC doesn't duplicate all functions done by Samba4's integrated KDC (primarily, attaching PACs to the Kerberos tickets, containing the user's UID and other things taken from LDAP), but that's just the beginning. Windows also expects the AD DC to also have LDAP entries according to the Active Directory's LDAP schema, and to support various MS-RPC services – for joining the computer itself to the domain, for obtaining account information, and so on.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...