[kwlug disc.] Authenticating both local and ADS users in Samba
unsolicited
unsolicited at swiz.ca
Tue Feb 5 15:36:03 EST 2008
John Van Ostrand wrote, On 02/05/2008 10:39 AM:
> Joe Wennechuk wrote:
>> I'm kind of a newbie, but....
>>
>>
>> Can't you use RADIUS for authentication in this type situation?
> Interesting idea. Does Windows have a RADIUS server that will serve the
> appropriate values?
There are free Windows radius servers out there. I believe a free is
now available with windows. I forget whether IIS is required to make
it work.
Cisco _might_ have one; I do know they have a for fee one.
Cygwin probably has one.
I guess a decision point is where should the RADIUS server reside?
Linux side or windows side?
>
> Can Samba be configured to use RADIUS for those values?
>
> Samba authenticates differently than typical Linux and so typical Linux
.
.
.
John:
Does / can PAM play a role here? Will it hand off the authentication
request to Samba, or is PAM only for incoming / Linux authentication /
access requests?
.
.
.
> ... The extra info is the passwords, UIDs, and account flags
> at a minimum. This SAM is stored separately when non-compatible
> authentication methods are used. This either puts them in an LDAP
> directory or in the smbpasswd file.
So, firing up an LDAP is a useful thing? Once running successfully,
e.g. first adding LDAP as an authentication mechanism for PAM, one
could remove the smbpasswd mechanism?
Apples and oranges?
Can OpenLDAP be a client of AD, sucking up / synchronizing the data it
finds useful, and add on other bits that it doesn't? In this case, the
extra bits the RADIUS server might (have) provided?
More information about the KWLUG-Disc
mailing list