[kwlug disc.] Authenticating both local and ADS users in Samba

John Van Ostrand john at netdirect.ca
Tue Feb 5 10:39:45 EST 2008 

Joe Wennechuk wrote:
> I'm kind of a newbie, but....
>
>
> Can't you use RADIUS for authentication in this type situation?
Interesting idea. Does Windows have a RADIUS server that will serve the 
appropriate values?

Can Samba be configured to use RADIUS for those values?

Samba authenticates differently than typical Linux and so typical Linux 
passwords and user IDs are not enough. The passwords have to be stored 
in one of two hash encryptions and depending on what level of client is 
authenticating one of them will be needed. In most cases it's wise to 
store both, this is what Samba does and I think Windows still does as well.

Because these hashes are outside of typical Linux authentication modules 
Samba has use a separate authentication database (called a SAM) to store 
the extra info. The extra info is the passwords, UIDs, and account flags 
at a minimum. This SAM is stored separately when non-compatible 
authentication methods are used. This either puts them in an LDAP 
directory or in the smbpasswd file. In some cases the extra info can be 
computed or defaulted but this essentially treats all users the same. In 
the case of AD integration this information is delivered by the AD server.

This data could be delivered by RADIUS. Radius can be configured to 
provide all sorts of data.

It's also a Windows feature to be able to change your password through 
the server (i.e. Samba.) Also administrators can use Windows admin tools 
to add  and update user information remotely. This would also be done 
through Samba.  In order to support these features Samba would have to 
be able to update RADIUS. I don't think this is supported in the RADIUS 
protocol.


-- 
*John Van Ostrand* 	*Net Direct Inc.* 	 
CTO, co-CEO 	564 Weber St. N. Unit 12 	map 
<http://maps.google.ca/maps?q=564+Weber+Street+North+Unit+12,+Waterloo,+ON+N2L+5C6,+Canada&ll=43.494599,-80.548222&spn=0.038450,0.073956&iwloc=A&hl=en> 

  	Waterloo, ON N2L 5C6 	 
john at netdirect.ca 	Ph: 866-883-1172 	ext.5102
*Linux Solutions / IBM Hardware* 	Fx: 519-883-8533 	 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20080205/e964beb3/attachment.htm

More information about the KWLUG-Disc mailing list