A question about Auth Backends
Theodore J. Soldatos
theodore at eexi.gr
Wed Mar 28 10:47:59 GMT 2001
Doug Marcey wrote:
>
>
> One other question I had was: if NT and Unix send the encrypted passwords
> differently then how can samba use and LDAP backend for storing that
> information? Doesn't LDAP use the standard crypt(3) to store passwords? How
> does samba use that to validate and NT logon? Just curious.
>
> --Doug
>
OpenLDAP 2.0.7 can use SSHA, SHA, MD5, SMD5 and crypt, whith SSHA as the
default. Samba must store the password in 2 ways (Lanman hash and NT
hash). If somebody could write an LDAP 2.0.7 patch for NT hash support,
then a PAM module (or direct LDAP support) could be written that would
store the NT hash in the userPassword attribute (which LDAP uses for
authentication) and Lanman hash in another special attribute. That way,
PAM aware software (like for example Cyrus IMAP) could authenticate
using pam_ldap and samba could authenticate using LDAP either via a
special PAM module or directly. Oh, and BTW, changing password in
OpenLDAP 2.0.7 using ldappasswd does not replicates to slave LDAPs -
write your own scripts :-)
I'm currently testing the following setup: I don't have users directly
logging in Linux machines. I have a Cyrus IMAP authenticating from LDAP
using pam_ldap. I have a Perl web interface for changing passwords in
LDAP. I have a Samba 2.2.0alpha3 PDC. I'm using "unix sync" to call a
Perl script which, given only the uid of the user, finds the full DN and
changes the password (which of course assumes that uids are unique. If
not, it fails). If a user changes the password from NT or W2K, the
script also changes the password in LDAP, so (for the user) domain logon
password is always the same with the mail server password. The web
interface code will be modified also: Instead of directly changing the
LDAP pasword (in which case the samba password will not change, bye-bye
sync), it will remotely (smbpasswd -r MACHINE) change the samba
password. Samba will call the script, which will change the LDAP
password, and we are in sync.
One problem with this setup is that, if one of the password databases
(LDAP or Samba) is been destroyed in some way, you cannot recreate it
from the other. I'm thinking about writing a script to keep a backup of
smbpasword file in LDAP... *ugly*....
Also, adding users is another nightmare, because i need LDAP users to be
added in the /etc/passwd files of IMAP and Samba servers. I came up with
another ugly solution, involving perl scripts, encryption, ftp, samba
machine accounts and animal sacrifices, which i don't want to discuss here.
As for why not using pam_smb to authenticate IMAP from Samba, it's
because i explicitly want to use LDAP as my central password database.
T.
--
Theodore=J.=Soldatos=_\_="There=is=always=a=bug=somewhere",=said==HAL=to=the==
= theodore at eexi.gr =_/_==Ultimate=Programmer,=and=turned=off=the=air=supply.=
= bafh at hellug.gr =_\_="Everybody=knows=the=war=is=over,====================
= tsol at space.gr =_/_==everybody=knows=the=good=guys=lost"===Leonard=Cohen=
=====================_\_============ http://w4u.eexi.gr/~theodore ============
=== Space Hellas ====_/_=========== Finger: theodore at aurora.eexi.gr ==========
More information about the samba-ntdom
mailing list