ldap gina

[Osama Dengler]

Am 7 Mar 2002 um 17:57 Uhr schrieb Andrew Bartlett zum Thema Re: ldap gina:
Dazu meine Meinung:

> I really don't see what this gains you (apart from a *lot* of work) over
> just running Samba as a PDC on an LDAP backend.   That way you don't
> need to worry about undocumented SAMR interfaces, as samba already
> handles all that.  
> 
> You are going to need NT and LM hashes in your LDAP directory the moment
> you want to do a file-share connect anyway (not needing these being the
> main reason I can see for doing this).

Well, running samba as PDC w/ LDAP SAM doesn't solve the problem of
unix / NT password synchronisation if you don't use winbind. As winbind is
not an option in many environments I'm thinking of a different way of 
synchronizing the passwords. The idea is to make NT use the unix password
instead of changing the unix auth subsystem. That is the main reason for
the effort I spent in LdapLsaAp.

Another scenario are the many sites where not even LDAP is an option but
p.e. NIS is used for unix authentication. Once LdapLsaAp is running, it could
easily be used as a framework for other ways of authentication apart from 
LDAP.

The other thing I'm currently trying is to write a NT password filter DLL that
is responsible for keeping the passwords in sync. This should probably be
easier than a complete authentication package. However, I've tried this
some time ago and it didn't work because the DLL was never being called
although everything was set up correctly. I'll give this another try.

I don't know enough about how a fileshare connection is made between Windows
systems. The authentication package documentation mentions "network logons".
I assumed this to be the mechanism that is used for fileshare connections. If
the SAM is directly queried there is obviously a problem with LdapLsaAp and we
might need a full security package.

Greetings, Osama
---
Osama Dengler
http://www.jazz-on-the-rocks.de/