topic Re: CIFS authentication with LDAP in Network and Storage Protocols

CIFS authentication with LDAP

rkaramchedu1 — Thu, 05 Jun 2025 07:33:49 GMT

I *think* this is a supposedly supported and possible configuration, however it does not work in my tests.

Where To: Get a mac client to mount a SAMBA share from a NetApp Filer, which is using LDAP for user authentication

Configuration Steps

Setup a LDAP server with at least 1 posixAccount user object. -- DONE
Setup the Simulator with LDAP using options.ldap settings and editing /etc/nsswitch.conf -- DONE
Perform cifs setup and configure to use LDAP (#4 in the cifs setup) -- DONE
Verify on the console that LDAP lookups can be performed (using the getXXbyYY getpwbyname_r <username>) command. -- DONE
Verify CIFS authentication from a CIFS client -- NOT DONE. NO WORK.

I am stuck at #5. Even with cifs trace logins on and ldap server logs revved up, when I attempt a CIFS authentication from my mac, nothing happens. No log entries in the LDAP server and no message on the filer console.

Any thoughts ?

Re: CIFS authentication with LDAP

kusek — Tue, 09 Sep 2008 00:25:32 GMT

Just to confirm - What method are you attempting to connect from your mac client?

As a way to test this, I could fire up my filer at home (or my simulator just as well) and connect it to my mbp.

Ideally, I'd like to replicate your scenario as closely as possible in order to watch it fail or succeed respectively.

Thanks!

Christopher

Re: CIFS authentication with LDAP

rkaramchedu1 — Tue, 09 Sep 2008 00:39:52 GMT

Hi Christopher

I am using CIFS connection (Apple + K, cifs://<filername>/<share>)

cheers

- rajeev

Re: CIFS authentication with LDAP

nbernstein — Tue, 09 Sep 2008 07:24:11 GMT

what does the output of wcc and cifs security -s show?

Also check your security style on the volume/qtree you're trying to access. (qtree status)

-n

Re: CIFS authentication with LDAP

rkaramchedu1 — Tue, 09 Sep 2008 13:58:51 GMT

Well..with LDAP authentication, wcc does not put out any output since it is not joined into any domain. There is no windows domain to join.

The qtree security style is mixed. (I even tried ntfs).

Re: CIFS authentication with LDAP

rkaramchedu1 — Thu, 11 Sep 2008 23:02:55 GMT

This appears to be a Apple-NTAP specific issue. Because I got this setup to work with a Windows system.

In Mac OS X case, the LDAP request is never made. The communication breakdown occurs (looks like) between mac os x and NTAP.

(I tested this with the new version of simulator 7.3 and still the same result)

It would be wonderful if some of the CIFS folks can chime in here..

Re: CIFS authentication with LDAP

cebulrdcis — Fri, 26 Sep 2008 07:22:38 GMT

I will try this one in a simulator..

hope I'm successfulllll

Re: CIFS authentication with LDAP

BrendonHiggins — Fri, 26 Sep 2008 07:30:43 GMT

They may help

http://clctext.tlt.psu.edu/labs/mac/resources/authdoc/ldapauthorization.aspx

Re: CIFS authentication with LDAP

alopeznetapp — Fri, 29 Jan 2010 12:27:21 GMT

Hello.

I am having trouble implementing the mapping windows user when the storage system is integrated with a UNIX LDAP.

Could you send me your configuration file usermap.cfg?.

Thanks in advance.

Re: CIFS authentication with LDAP

fromero — Tue, 09 Feb 2010 23:40:08 GMT

I am having exactly the same problem stuck at #5, except that I do get a password rejected message on

the filer console:

auth: login from xxxxxxxx is rejected because the filer encountered an error while processing the password provided

by the user: user password rejected.

One other thing I have read is that the filer doesn't support md5 hashing. How can this get disabled in the ldap

configuration.

Does the command getXXbyYY returns the type of hasing being used in the ldap server?

I mean is if the line pw_passwd returned by the command.

Re: CIFS authentication with LDAP

rkaramchedu1 — Sat, 13 Feb 2010 14:41:31 GMT

[Been a while since I played with ldap configuration]

I *think* an individual object can override the server specific setting by specifying the hash method in the password attribute, depending on the ldap policy. There's a server specific setting that dictates how all the password encryptions are done, which is probably where you are getting the MD5 hashing from. You may want to work with the LDAP admin and see if you can set the encryption of one test account to other hashing methods and see if that works. ({crypt}, {clear}, {3des}, {ssha} etc)

I know this does not answer your questions specifically (not mine, for that matter), but HTH.

Re: CIFS authentication with LDAP

fromero — Wed, 17 Feb 2010 22:12:33 GMT

I tried the crypt hashing method as it was suggested by the NetApp folks but it yielded the same result,

previously I have tried also the cleartext in slapd.conf to no avail. Is quite frustrating.... I can see the

machine talking to the ldap server and mapping the windows user to the unix user but it goes again and

rejects the password.

Re: CIFS authentication with LDAP

fromero — Thu, 18 Feb 2010 17:40:46 GMT

Gentlemen,

I found a soultion to my problem not sure if this applies specifically to the original problem that was posted in this

thread but it fixed my problem. However, something to have in your little bag of tricks.

Turns out that with openldap in a RedHat system there is a perl module to where the smbldap-passwd command points

to, to get the hashing mode. The name of the file is smbldap_conf.pm and is located in /var/lib/samba/sbin/

there are two lines there, one a comment that reads:

#Unix password encryption {CRYPT, MD5, SMD5, SSHA, SHA}

the other is the actual string that says how the hashing is done.

$hash_encryption="SSHA"

I changed this line to CRYPT, re-entered the user password with smbldap-passwd.pl and Voila!!

users successfully authenticated and mapped drives. Run the getXXbyYY command and got the right encryption type.

Now, I am trying to point users straight into their home dirs instead of the root share that contains all users home dirs.

I am using usermap but not sure if that file helps to achieve this. Any suggestions? Thanks.

Re: CIFS authentication with LDAP

nerscsysadm — Thu, 18 Mar 2010 15:46:40 GMT

Hi, Iive read almost everything on internet and manuals and still stuck on #5.

I've a Mac OS X 10.5 server with OpenLDAP and the NetAPP Simulator 8.0 and this is the result so far:

netapp*> getXXbyYY getpwbyname_r [username]

pw_name = [username]

pw_passwd = {clear}********

pw_uid = 12345678, pw_gid = 20

pw_gecos =

pw_dir = /[path]/[to]/[username]

pw_shell = /bin/tcsh

In the log on the server I get:

Mar 18 16:41:00 [server] slapd[74]: SASL [conn=1204363] Failure: Couldn't find mech DIGEST-MD5

Mar 18 16:41:00 [server] slapd[74]: bind: invalid dn ([ldap_admin])

This is the options I have on the NetApp simulator:

netapp*> options ldap

ldap.ADdomain

ldap.base dc=[my],dc=[domain]

ldap.base.group cn=groups,dc=[my],dc=[domain]

ldap.base.netgroup

ldap.base.passwd cn=users,dc=[my],dc=[domain]

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name [ldap_admin]

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd ******

ldap.port 636

ldap.servers [ldap.my.domain]

ldap.servers.preferred [ldap.my.domain]

ldap.ssl.enable on

ldap.timeout 20

ldap.usermap.attribute.unixaccount unixaccount

ldap.usermap.attribute.windowsaccount windowsaccount

ldap.usermap.base

ldap.usermap.enable off

Any help appreciated!

Regards,

Lars-Gunnar Persson

Re: CIFS authentication with LDAP

rkaramchedu1 — Thu, 18 Mar 2010 18:20:53 GMT

Mar 18 16:41:00 [server] slapd[74]: SASL [conn=1204363] Failure: Couldn't find mech DIGEST-MD5

Mar 18 16:41:00 [server] slapd[74]: bind: invalid dn ([ldap_admin])

Looks like your ldap server (slapd) is receiving SASL bind call (either it is set on the server to accept only SASL connections or it's the client requesting). Note that this has nothing to do with User Authentication and its encryption.. (think of this has handshake that happens much before).

It seems like client is requesting a SASL bind with DIGEST-MD5 mechanism that the server is not configured to support - With that being the case, the subsequent ldap bind-dn is failing. If this handshake is not successful, then no subsequent ldap queries are allowed.

HTH

Re: CIFS authentication with LDAP

nerscsysadm — Fri, 19 Mar 2010 09:16:49 GMT

rkaramchedu1 wrote:
Mar 18 16:41:00 [server] slapd[74]: SASL [conn=1204363] Failure: Couldn't find mech DIGEST-MD5
Mar 18 16:41:00 [server] slapd[74]: bind: invalid dn ([ldap_admin])
Looks like your ldap server (slapd) is receiving SASL bind call (either it is set on the server to accept only SASL connections or it's the client requesting). Note that this has nothing to do with User Authentication and its encryption.. (think of this has handshake that happens much before). 
It seems like client is requesting a SASL bind with DIGEST-MD5 mechanism that the server is not configured to support  - With that being the case, the subsequent ldap bind-dn is failing. If this handshake is not successful, then no subsequent ldap queries are allowed.
HTH

Since the client is the OnTap 8.0 simulator, do you know how to change the requesting SASL bind to something else than DIGEST-MD5?

Regards,

Lars-Gunnar

Re: CIFS authentication with LDAP

rkaramchedu1 — Sat, 15 Jan 2011 23:28:46 GMT

It's a bit late on this reply but was looking into the ldap stuff cause someone else asked me a question on it..

The options ldap.name and ldap.passwd are used for SASL binding. You have a value set for ldap.name. Blank that out and for good measure, blank the ldap.passwd as well (note that you'll still see the six ***s after this). That should set non-SASL bind with your settings.

Re: CIFS authentication with LDAP

rkaramchedu1 — Sat, 15 Jan 2011 23:30:30 GMT

After testing, found out that method is the only method that works with NetApp LDAP.. wish this was documented this a bit better...

Re: CIFS authentication with LDAP

BRLUNDDAL — Tue, 14 Jun 2011 17:49:42 GMT

But a non-SASL bind against an Open Directory server returns passwords in Clear text, and Samba on Macs don't accept Clear Text passwords.

Edit: Found out how to enable Clear Text password by editing/creating the nsmb.conf file (Btw. the same works in Lion even though it doesn't use Samba anymore).

Another thing I discovered in my environment, where the LDAP is an Apple Open Directory server, is that ldap.nssmap.attribute.userPassword should be set to Password instead of userPassword.

Re: CIFS authentication with LDAP

sam_wozniak — Tue, 16 Oct 2012 22:19:38 GMT

I'd really like to know how to change the requesting SASL bind to something else besides DIGEST-MD5. Is it possible? We're running DOT 8.1.1 and not in a Sim.