These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

LDAP01/UNIX And Windows Authentication

Classnotes | LDAP01 | RecentChanges | Preferences

So far in this class we have focused largely on UNIX servers, with only a few exceptions. The Samba project (http://www.samba.org/) has become a staple for administrators seeking to integrate UNIX file and printer sharing with Windows clients. Samba is a suite of programs that impliment the server portion of SMB protocol (later renamed to CIFS).

Samba includes several client programs and administrative tools in addition to its server components. Adequate coverage of Samba is beyond the scope of this class. For more information about Samba, I would recommend taking the second UNIX course UNIX02.

To support the challenge/response authentication methods used by Mircosoft clients, Samba requires a list of hashed passwords separate from the normal Unix account information stored in /etc/passwd (or in the posixAccount object class for that matter). This collection of LanManager? and Windows NT password hashes is normally stored in a file named smbpasswd, which has the format:

  username:uid:LM_HASH:NT_HASH:account flags:timestamp

Samba's smbpasswd file has several disadvantages for sites with many users:

  • Lookups are performed sequentially. When servicing a domain login request form a Windows client, there are a minimum of two lookups. These lookups can be a performance bottleneck.

  • Attempts at using a single smbpasswd file for multiple standalone servers requires the administrator to use external tools, such as a combination of rsync, ssh, or scp, to replicate the file. This solution also requires tha the set of Unix users and groups be synchronized between the servers, perhaps using the methods outlined in Chapter 6 of the book.

  • The format of the smbpasswd file limits the number of attributes that can be maintained for each user. When Samba is acting as a PDC, there are many additional fields, such as the location of a user's roving profile, that should be maintained on an individual basis.

All of these deficiencies can be addressed by moving the information from a local flat file into sambaAccount objects in an LDAP directory.



Classnotes | LDAP01 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited September 29, 2003 10:10 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.