NT/UNIX password synchronization, using LDAP for pasword store.

Luke Howard lukeh at PADL.COM
Sat Feb 19 01:34:31 GMT 2000


>I intend for the same LDAP directory subtree to be used for
>authentication store by Samba-TNG running on Linux, so that eventually
>each entry should have these LDAP attributeTypes
>
>    lmPassword
>    ntPassword
>    userPassword

For TNG, that will _probably_ be dBCSPwd and unicodePwd, instead
of lmPassword and ntPassword.

>Is there some feature of Samba which will cause it to synchronize
>lmPassword/ntPassword to the the userPassword attribute when an NT
>password changes ?  If not, does anyone have any suggestions for how I
>might proceed ?

Good question. I don't expect that SAMBA gets the new password in the
clear, but I may be wrong; this is just a guess. If it doesn't, then
there's no way SAMBA can update the crypt() hashed password in the
userPassword attribute. One soultion then would be to modify the
ldappasswd program that comes with OpenLDAP to update the NTLM hashes.

If SAMBA (when acting as a PDC) does get the cleartext password, then
perhaps all you need is a conversation with the ldappasswd program (included
with OpenLDAP).


-- Luke
--
Luke Howard
PADL Software Pty Ltd
http://www.padl.com


More information about the samba-ntdom mailing list