Getting OpenLDAP to auth users against sambaNTPassword

Ronny Bremer rbremer at future-gate.com
Fri Jun 20 06:09:46 GMT 2003


Andrew,

in principle, what you can do is to pass on an NTLM password hash and
it will be compared with the stored value in the LDAP directory. As you
don't have the clear text password, you can't use a simple bind, so SASL
is the way to go. You provide the hash and NMAS will verify it. To add
to the confusion, there are also attributes defined for the NTPassword
and LMPassword hash values, whcih can be used to authenticate the user
without having the clear text passwords. These are updated automatically
if you perform a password change.

I will try to dig a better description up for you.

Ronny

>>> Andrew Bartlett <abartlet at samba.org> 19.06.2003 08:22:32 >>>
On Thu, 2003-06-19 at 16:16, Ronny Bremer wrote:
> Which would also work when talking to Novell eDirectory. They have
> something called Novell Modular Authentication Services, so we can
pass
> the NTLM hash straight to them and they will compare, works as a
SASL
> bind method via LDAP.

Is this for authenticating other things on Novell, Samba against
Novell
or Novell against samba's attribute in the Novell directory?

I'm a bit confused which interface this is.

For authenticating Samba users (domain logins/cifs connections), we
need
to do more than pass off the NTLM challenge-response - we need data
back
like the session key, and need to deal with NTLMv2 etc.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au 
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org 
Student Network Administrator, Hawker College   abartlet at hawkerc.net 
http://samba.org     http://build.samba.org     http://hawkerc.net



More information about the samba-technical mailing list