Getting OpenLDAP to auth users against sambaNTPassword
Andrew Bartlett
abartlet at samba.org
Fri Jun 20 06:31:34 GMT 2003
On Fri, 2003-06-20 at 16:09, Ronny Bremer wrote:
> Andrew,
>
> in principle, what you can do is to pass on an NTLM password hash and
> it will be compared with the stored value in the LDAP directory. As you
> don't have the clear text password, you can't use a simple bind, so SASL
> is the way to go. You provide the hash and NMAS will verify it. To add
> to the confusion, there are also attributes defined for the NTPassword
> and LMPassword hash values, whcih can be used to authenticate the user
> without having the clear text passwords.
Firstly, I'm assuming you mean this to allow Samba to check incoming
CIFS users against the directory.
Does this work with the NTLM response? We don't have the NTLM hash,
only the challenge-response value. How does the Novell server trust us
that we can use these values? How does it supply us with the session
key? How does it work with NTLMv2?
> These are updated automatically
> if you perform a password change.
This is good news, given the previous sorry history in this area (I know
for ages a change of the Novell password would not update them).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030620/f5e14f45/attachment.bin
More information about the samba-technical
mailing list