ldap gina

Sat Mar 9 14:57:03 GMT 2002

Osama Dengler wrote:
> 
> Am 7 Mar 2002 um 17:57 Uhr schrieb Andrew Bartlett zum Thema Re: ldap gina:
> Dazu meine Meinung:
> 
> > I really don't see what this gains you (apart from a *lot* of work) over
> > just running Samba as a PDC on an LDAP backend.   That way you don't
> > need to worry about undocumented SAMR interfaces, as samba already
> > handles all that.
> >
> > You are going to need NT and LM hashes in your LDAP directory the moment
> > you want to do a file-share connect anyway (not needing these being the
> > main reason I can see for doing this).
> 
> Well, running samba as PDC w/ LDAP SAM doesn't solve the problem of
> unix / NT password synchronisation if you don't use winbind. 

I don't see how you come to this conclusion.  Have you attemtped to use
the 'unix password sync' smb.conf option?  Or ran pam_smbpass on the
PDC?   

Personally, I use pam_winbind and pam_krb5 to keep my two password
databases in sync - it works quite well actaully.

> As winbind is
> not an option in many environments.

Which environments?  I know of (and we are working on) the NFS case, but
what others?

> I'm thinking of a different way of
> synchronizing the passwords. The idea is to make NT use the unix password
> instead of changing the unix auth subsystem. That is the main reason for
> the effort I spent in LdapLsaAp.

I really don't think this can actually work for anything more than the
inital logon prompt, but I would be glad to be proved otherwise.

> Another scenario are the many sites where not even LDAP is an option but
> p.e. NIS is used for unix authentication. Once LdapLsaAp is running, it could
> easily be used as a framework for other ways of authentication apart from
> LDAP.
> 
> The other thing I'm currently trying is to write a NT password filter DLL that
> is responsible for keeping the passwords in sync. This should probably be
> easier than a complete authentication package. However, I've tried this
> some time ago and it didn't work because the DLL was never being called
> although everything was set up correctly. I'll give this another try.
>
> I don't know enough about how a fileshare connection is made between Windows
> systems. The authentication package documentation mentions "network logons".
> I assumed this to be the mechanism that is used for fileshare connections. If
> the SAM is directly queried there is obviously a problem with LdapLsaAp and we
> might need a full security package.

The file-share connections use the NTLM challange-response mechinism -
therefore the minimum requirement is that you are able to process an
NTLM challange-response pair.  This means that you *must* store either
the cleartext password or the NT and LM hashes.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net