[Samba] update encypted and LDAP - solution
Martin Sapsed
m.sapsed at bangor.ac.uk
Mon Jun 16 15:35:03 GMT 2003
Martin Sapsed wrote:
> I'm currently trying out samba-3.0alpha24 and moving to samba-3.0.0beta1
> since we're getting into XP and encrypted passwords etc. I was hoping to
> set everyone (about 13,000 users) up on an LDAP (openLDAP) server with
> just the Unix crypt passwords for now and run with
>
> encrypt passwords = no
> update encrypted = yes
>
> for a while to populate the NT/LM password hashes before going over to
> encrypted passwords for everyone. (Most clients are Win 9x using plain
> text passwords against NIS at the moment.)
>
> From what I can see and have gathered from some searching, it looks
> like "update encrypted" only works with an smbpasswd file. Is this the
> case? If so, has anyone out there tried living with a 13,000 line
> smbpasswd file for any length of time??
I'm answering my own question since nobody else got quite the right
answer although Tom Crummey put me thinking along the right lines.
If you have
passdb backend = ldapsam:ldap://..., guest
encrypt passwords = yes
then the Microsoft encrypted passwords stored in LDAP are used and
obviously this is the preferred solution for security and co-operation
from windows 2000 and XP etc.
If, however, you have
passdb backend = ldapsam:ldap://..., guest
encrypt passwords = no
update encrypted = yes
then the authentication check is against whatever authentication
mechanism the underlying machine is using (in my case NIS but could be
PAM etc) but the update encrypted flag causes the NT/LM passwords in
LDAP to be updated. My mistake was to assume that if you used ldapsam:
then authentication was against LDAP - the userid I was testing with had
a different crypt password in LDAP to what was in NIS.
Thanks to Tom for pointing me right. Apologies to John Terpstra if my
last reply to him was a bit terse!
Keep up the good work, team...
Cheers,
Martin
--
Martin Sapsed
Information Services "Who do you say I am?"
University of Wales, Bangor Jesus of Nazareth
More information about the samba
mailing list