[Samba] LDAP and the Password attrtibute in SAMBA

awilliam at whitemice.org awilliam at whitemice.org
Sun Aug 28 15:29:04 GMT 2005 

> On Sun, 2005-04-10 at 13:53 +0200, Tony Earnshaw wrote:
>> søn, 10.04.2005 kl. 02.56 skrev Gerald (Jerry) Carter:
>> [...]
>>>> > There was some interesting code submitted by Engineers
>> > at Novell for utilizing the clear text password in eDirectory.
>> > The password is pulled via an extended LDAP operation from the
>> > DSA (over ldaps).  smbd can then generate the lm and nt
>> > hashes from this therefore allowing one password to be stored.
>> > We could do the same thing with OpenLDAP if people felt this
>> > was helpful.  I.e. Is storing 'userPassword: {clear}secret'
>> > worth the single password configuration?
>> This would be fantastic. I have to have plain text userPasswords in the
>> LDAP database for non-Samba related CRAM- and DIGEST-MD5 purposes.
>> Syncing the 3 password types is no great hassle, but not having to do
>> that would definitely be a plus. Is Novell's code Open Source, then?
> Yes, it's in current Samba releases.  What we should simply do is search
> for the userPassword attribute, and call pdb_set_plaintext_password().
> The tricky part of the patch will be writing the password back - I think
> that the default behaviour should be to write back into the plaintext
> password attribute, unless 'ldap password sync' is set.
> (this will imply keeping a little state around, but it won't be hard).

Did such a feature make it into Samba, or might it in the future?  I'm 
like Tony
and already keep userpassword as cleartext in order to support DIGEST-MD5 for
those clients that can't do Kerberos.

>> > And before anyone yells the word 'security!', the danger
>> > is in obtaining the OpenLDAP db files.  It is possible to
>> > security the password from unauthorized LDAP client access.
>> > Of course, the security settings are slightly more challenging
>> > than relying on hashes password being stored in the directory.
>> > However, the lm and nt password hashes are clear text equivalent
>> > so for those people using Samba, using {clear} would be
>> > only slightly more scary.
>> I'm not worried about plain text passwords in the LDAP DB. The only
>> users who have access to them are the slapd user (no shell) and root.

Yep, I'm not worried about this either.  If you hack into the DC with 
sufficient
privileges to steal the DB files then I'm borked anyway.



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the samba mailing list