ldap gina

Andrew Bartlett abartlet at pcug.org.au
Sat Mar 9 14:57:03 GMT 2002

Osama Dengler wrote:
> Am 7 Mar 2002 um 17:57 Uhr schrieb Andrew Bartlett zum Thema Re: ldap gina:
> Dazu meine Meinung:
> > I really don't see what this gains you (apart from a *lot* of work) over
> > just running Samba as a PDC on an LDAP backend.   That way you don't
> > need to worry about undocumented SAMR interfaces, as samba already
> > handles all that.
> >
> > You are going to need NT and LM hashes in your LDAP directory the moment
> > you want to do a file-share connect anyway (not needing these being the
> > main reason I can see for doing this).
> Well, running samba as PDC w/ LDAP SAM doesn't solve the problem of
> unix / NT password synchronisation if you don't use winbind. 

I don't see how you come to this conclusion.  Have you attemtped to use
the 'unix password sync' smb.conf option?  Or ran pam_smbpass on the

Personally, I use pam_winbind and pam_krb5 to keep my two password
databases in sync - it works quite well actaully.

> As winbind is
> not an option in many environments.

Which environments?  I know of (and we are working on) the NFS case, but
what others?

> I'm thinking of a different way of
> synchronizing the passwords. The idea is to make NT use the unix password
> instead of changing the unix auth subsystem. That is the main reason for
> the effort I spent in LdapLsaAp.

I really don't think this can actually work for anything more than the
inital logon prompt, but I would be glad to be proved otherwise.

> Another scenario are the many sites where not even LDAP is an option but
> p.e. NIS is used for unix authentication. Once LdapLsaAp is running, it could
> easily be used as a framework for other ways of authentication apart from
> The other thing I'm currently trying is to write a NT password filter DLL that
> is responsible for keeping the passwords in sync. This should probably be
> easier than a complete authentication package. However, I've tried this
> some time ago and it didn't work because the DLL was never being called
> although everything was set up correctly. I'll give this another try.
> I don't know enough about how a fileshare connection is made between Windows
> systems. The authentication package documentation mentions "network logons".
> I assumed this to be the mechanism that is used for fileshare connections. If
> the SAM is directly queried there is obviously a problem with LdapLsaAp and we
> might need a full security package.

The file-share connections use the NTLM challange-response mechinism -
therefore the minimum requirement is that you are able to process an
NTLM challange-response pair.  This means that you *must* store either
the cleartext password or the NT and LM hashes.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list