Samba vs PAM (authentication against NDS)

Marek Les marek at
Mon Mar 20 12:36:34 GMT 2000

> Depends on your setup.  Basically, those passwords have to go over the
> network somehow. 

For sure.

> Either in plaintext or as a LanManager hash, which
> itself is protected via a challenge-response mechanism.  In the former
> case, the plaintext passwords can then be hashed any way you need to,
> for checking against NDS.  In the latter case, you do *not* have
> plaintext at the Samba end, so the only way to check against the NDS is
> if the NDS stores passwords in that same LanManager hash format.

Hmm.. I am not sure about this, maybe you can explain it to me.. if I 
have a Novell Client installed in Windows 95 (with password 
encrypting enabled) and I log in the Novell Server through NDS I 
don't send any LanManger hashed password, don't I ? I don't know 
exactly what type of encryption NDS uses (I'd say some one-way 
stream?) but I'd say that Samba shouldn't play a role here because it 
should just hand it over to the PAM module..

> Anyway, the short answer is no, you can't do what you want, not without
> patching Samba.  Patch it so that instead of consulting smbpasswd it
> consults your NDS server. 

Well I managed to get NDS authenticating working _locally_ .. That 
means I can login via smbclient from the same computer using the 
password in NDS. However I fail to do even 'net view \\server' from 
Windows, I'm getting Error 86 : Wrong password.. note that I'm not 
sure if I didn't broke something up during the several 
(mis)configuration :-) .. However, the other (non NDS) Samba server 
works fine with this Windows client .. also note that I can see the 
experimental server when I do "net view" ..

> And, if your NDS server doesn't store
> passwords in the peculiar Windows LanManager form, you are truly out of
> luck.  And let's not even go into the issue of *changing* passwords....

I don't get the point right now.. well, the goal of all this is to 
have all the accounts handled _globaly_ , easily and comfortably from 
the Novell NDS, which has a really very nice way of handling such 
things. What's the problem of changing the password in NDS?

     Marek "MaX" Leš

More information about the samba mailing list