Samba vs PAM (authentication against NDS)

Peter Samuelson peter at
Sat Mar 18 08:34:10 GMT 2000

[Marek Les]
> Yes but that's what I really don't want to do.. This way it would
> send plaintext NDS passwords over the net.. with our network topology
> this is unacceptable security measure.. :(

Depends on your setup.  Basically, those passwords have to go over the
network somehow.  Either in plaintext or as a LanManager hash, which
itself is protected via a challenge-response mechanism.  In the former
case, the plaintext passwords can then be hashed any way you need to,
for checking against NDS.  In the latter case, you do *not* have
plaintext at the Samba end, so the only way to check against the NDS is
if the NDS stores passwords in that same LanManager hash format.

Anyway, the short answer is no, you can't do what you want, not without
patching Samba.  Patch it so that instead of consulting smbpasswd it
consults your NDS server.  And, if your NDS server doesn't store
passwords in the peculiar Windows LanManager form, you are truly out of
luck.  And let's not even go into the issue of *changing* passwords....


More information about the samba mailing list