Samba authenticating to Windows LDAP server?

[lithium3141]

I'm trying to get a server set up that provides some file shares to Windows clients, and I'd like it to integrate with an existing authentication framework my school already has set up. There's a Windows LDAP server that holds info about all the students here - I'd like Samba to authenticate against that server and grant access to shares as appropriate.

I've looked around for guides, but all I've been able to find is documentation for setting up my own LDAP server for Samba to use. My situation is somewhat restricted: I don't have administrator rights on the LDAP server, and I need to use that server because I'd very much like to provide a unified login for my users (i.e. not have to have everyone maintain a separate account on this server).

I've managed to get LDAP, PAM, and NSS set up so that users can log in via SSH with their LDAP usernames, but I can't figure out how to get Samba to do the same. I've heard that it's bad to have Samba use PAM, as that requires disabling password encryption. Is there a way to, without admin privileges on any remote machine, set up Samba to authenticate users against a separate LDAP server?

[vaxbrat]

Are you really looking to integrate with Windows active directory? That method is well established and allows your Linux server to act as an ads domain member using the domain controller as its password server. You can use it to provide shares and home directories to Windows clients. The actual authentication mechanism is provided by proprietary extensions that Microsoft made against Kerberos.

[lithium3141]

That would be a great way to go about it, but unfortunately I don't have privileges to join the machine to the domain. I've set up Samba to use ADS security and provided all the necessary information, but

[vaxbrat]

I've seen that sort of problem in a corporate environment where IT is scared of allowing Linux members. If you look at the samba writeup on ADS membership, you will see how to set up the Kerberos environment to use the domain controller as a password server before doing the "net ads join" command. The prelim stuff uses a keylogin command to get a kerberos ticket and should be useable with any sort of domain user account.

Your work will be cut out for you because the windows clients will want to use that machine account to browse shares, and you need a privileged account on the domain to add that account. You will need to cob together something that uses a kerberos ticket and pam modules that deal directly with kerberos instead.