A question about Auth Backends

Theodore J. Soldatos theodore at eexi.gr
Wed Mar 28 10:47:59 GMT 2001

Doug Marcey wrote:

> One other question I had was: if NT and Unix send the encrypted passwords
> differently then how can samba use and LDAP backend for storing that
> information? Doesn't LDAP use the standard crypt(3) to store passwords? How
> does samba use that to validate and NT logon? Just curious.
>  			--Doug
OpenLDAP 2.0.7 can use SSHA, SHA, MD5, SMD5 and crypt, whith SSHA as the 
default. Samba must store the password in 2 ways (Lanman hash and NT 
hash). If somebody could write an LDAP 2.0.7 patch for NT hash support, 
then a PAM module (or direct LDAP support) could be written that would 
store the NT hash in the userPassword attribute (which LDAP uses for 
authentication) and Lanman hash in another special attribute. That way, 
PAM aware software (like for example Cyrus IMAP) could authenticate 
using pam_ldap and samba could authenticate using LDAP either via a 
special PAM module or directly. Oh, and BTW, changing password in 
OpenLDAP 2.0.7 using ldappasswd does not replicates to slave LDAPs - 
write your own scripts :-)

I'm currently testing the following setup: I don't have users directly 
logging in Linux machines. I have a Cyrus IMAP authenticating from LDAP 
using pam_ldap. I have a Perl web interface for changing passwords in 
LDAP. I have a Samba 2.2.0alpha3 PDC. I'm using "unix sync" to call a 
Perl script which, given only the uid of the user, finds the full DN and 
changes the password (which of course assumes that uids are unique. If 
not, it fails). If a user changes the password from NT or W2K, the 
script also changes the password in LDAP, so (for the user) domain logon 
password is always the same with the mail server password. The web 
interface code will be modified also: Instead of directly changing the 
LDAP pasword (in which case the samba password will not change, bye-bye 
sync), it will remotely (smbpasswd -r MACHINE) change the samba 
password. Samba will call the script, which will change the LDAP 
password, and we are in sync.

One problem with this setup is that, if one of the password databases 
(LDAP or Samba) is been destroyed in some way, you cannot recreate it 
from the other. I'm thinking about writing a script to keep a backup of 
smbpasword file in LDAP... *ugly*....

Also, adding users is another nightmare, because i need LDAP users to be 
added in the /etc/passwd files of IMAP and Samba servers. I came up with 
another ugly solution, involving perl scripts, encryption, ftp, samba 
machine accounts and animal sacrifices, which i don't want to discuss here.

As for why not using pam_smb to authenticate IMAP from Samba, it's 
because i explicitly want to use LDAP as my central password database.


=  theodore at eexi.gr =_/_==Ultimate=Programmer,=and=turned=off=the=air=supply.=
=   bafh at hellug.gr  =_\_="Everybody=knows=the=war=is=over,====================
=   tsol at space.gr   =_/_==everybody=knows=the=good=guys=lost"===Leonard=Cohen=
=====================_\_============ http://w4u.eexi.gr/~theodore ============
=== Space Hellas ====_/_=========== Finger: theodore at aurora.eexi.gr ==========

More information about the samba-ntdom mailing list