[Samba] update encypted and LDAP

Martin Sapsed m.sapsed at bangor.ac.uk
Fri Jun 13 11:44:30 GMT 2003 

John H Terpstra wrote:
> On Tue, 10 Jun 2003, Martin Sapsed wrote:
>>Testing a bit further seems to suggest that
>>
>>encrypt passwords = no
>>
>>doesn't work at all if you're using
>>
>>passdb backend = ldapsam:ldap://..., guest
>>
>>in 3.0alpha24. Is this a bug or a feature? ;-)
> 
> It's a feature. You can not have domain membership with plain text
> passwords. The purpose of the LDAP based SAM is to enable full NT style
> account data (including MS encrypted passwords) to be stored in a suitable
> scalable backend.

I *know* that, but at the moment we're mostly still on 9x using Plain 
text passwords and NIS. We've got a few machines running XP and 2000 and 
using smb.conf.%m files I've got them set to use encrypted passwords in 
an smbpasswd file containing the MS encrypted passwords for the relevant 
users.

We now want to start planning on migrating to perhaps XP and gathering 
the MS passwords for all 13,000 users. I thought it would be healthier 
to do with with the information on an LDAP server rather than having 
13,000 lines in an smbpasswd file!

> If you really must use plain text passwords you can use an LDAP backend
> for your Unix system accounts but your "passdb backend" entry should have
> "guest", but accessing of the LDAP backend will need to be done at the OS
> level. ie: Do NOT put ldapsam in the passdb backend line in your smb.conf.
> 
> PS: It is a very bad idea to use plain text passwords - it is insecure and
> no longer supported well by Microsoft.

I know that too.

> Use of plain text passwords will
> lead to operational problems and user complaints.

but those problems are small compared to switching one day to an 
LDAP/encrypted password service with very few usable passwords in it. I 
think it's safe to say that that would result in "operational problems" 
and one helluva lot of user complaints!

I believe that using "update encrypted = yes" to populate the NT/LM 
passwords in our new LDAP database would be the best solution to our 
particular problem, unless you can suggest a better one John, or anyone 
else?

Cheers,

Martin

P.S. why is the word encrypted so hard to type correctly?? ;-)

-- 
Martin Sapsed				
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

More information about the samba mailing list