ldap and passwords

Fri Jan 7 19:29:44 GMT 2000

Yes - the LDAP support requires attributes lmpassword and ntpassword storing
the password hashes (appropriately protected by ACLs of course).

I don't think you understand LDAP very well. An entity can have attributes
which contain data. For example:

dn: uid=user, ou=People, dc=domain, dc=com
objectclass: top
objectclass: posixAccount
objectclass: sambaAccount
uid: user
uidnumber: 8102
gidnumber: 5643
cn: Common Name
homedirectory: /home/user
userpassword: {crypt}64236jigr
loginshell: /bin/bash
gecos: Gecos field
ntuid: users
rid: 42c
homedrive: Z:
pwdcanchange: 00000000
pwdmustchange: FFFFFFFF
lmpassword: <hash goes here................>
ntpassword: <hash goes here................>
pwdlastset: 38036B07
acctflags: [U          ]
profile: \\domctrl\profiles\user
smbhome: \\file-server\\user

This is (roughly, minus a few site-specifics) the template that we use here
for unifies UNIX account (vis nss_ldap and pam_ldap) and NT account via
samba.

The samba server *needs* either the plaintext password or the password hash
- kerberos' network protocol can't supply either. It can *check* the
plaintext password, but that's not good enough.

You're going to need some way for the samba server to obtain the
password/password hash.

It would be good if Samba would calculate the password hash if the password
is stored in plaintext in the LDAP directory - that way, you could eliminate
the need for lmpassword and ntpassword altogether.

You're going to have to be more specific about your requirements before I
could say any more though.

Cheers,
Phil

-----Original Message-----
From: David Bear
To: Multiple recipients of list SAMBA-NTDOM
Sent: 1/7/00 4:30 PM
Subject: ldap and passwords

I'm a little confused regarding ldap support.  If samba uses ldap to
authenticate, does ldap have to be configured to store password hashes?
As I understand the password issue, only  one way hashes are sent over
the
wire.  So the authenticating server either has to know the original
plain
text password, or store the hash.  The whole issue with having to create
the additional smbpasswd file was related here correct? 

Now as far as I understood ldap, I thought it was a directory spec to
enable access to x500 like hierarchical directories.  So, I can see
where
ldap nodes -- end points -- could provide a directory of user names --
userid.  But how does one store smbpasswords there?  and how would one
update the smbpassword?

This is important to me at ASU because we have a kerberos infrastructure
in place -- and they are just creating the ldap infrastructure.  So, to
mee I need to see if (1) ldap can be configure to help me with smb
passwords, or (2) if kerberos is the way to go -- or (3) if ldap would
provide some kind of gateway to kerberos principals?? Now I'm talking
way
out of my realm...

David Bear
College of Public Programs/ASU
A word is just two nibbles and a byte...