[Samba] PDC/Roving Profiles/and Password Encryption

Buchan Milne bgmilne at cae.co.za
Wed Jun 4 11:05:22 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Message: 8
> Date: Tue, 3 Jun 2003 07:11:15 -0700 (PDT)
> From: Dan Kador <shoutinwhispers at yahoo.com>
> Subject: [Samba] PDC/Roving Profiles/and Password Encryption
> To: samba at lists.samba.org
> Message-ID: <20030603141115.41568.qmail at web21512.mail.yahoo.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi All,
>

> Well, despite my general idiocy I've managed to get PDC and roving
> profiles working perfectly in my test situation.  Obviously, this
> isn't good enough since computers are the devil, so I've run into some
> more problems.
>
> Fortunately for the Samba team, this isn't a problem with Samba - I
> think it's more a problem with how our network is set up here.
>
> Basically, I'm wondering if there's a way to enable PDC and roving
> profiles using UNencrypted passwords.

No, no Windows clients will join a domain with clear-text passwords.

> I have it working WITH
> encrypted passwords, but this presents a problem as we're using an
> LDAP database that takes unencrypted passwords, and then when we
> actually login to a server (say the student server), the actual
> student server does the password hashing.  I'm not sure if that
> explanation makes sense, but the important thing is that each client
> computer MUST have cleartext passwords enabled or they cannot login to
> the student server.

Not totally true, you can have samba authenticate against the NT
password has stored in LDAP, and use synchronisation tools to keep the
unix hash and the NT hash in sync.

>
> As far as I can tell, this is what happens when I login to the domain
> from my 2K box using unencrypted passwords.  I get into the domain
> just fine - if I have a profile path declared, I get an error saying
> that the profile cannot be loaded.  This stems from the client not
> getting a true PDC authentication with the server, as the server's
> shares are not viewable until I run a "NET USE" command that includes
> a valid username and password.  Once that is done, I can view any of
> the shares fine.
>

Well, you won't be able to join new machines to the domain either.

> If there's a way to circumvent this problem or if I've managed to
> screw yet another thing up, let me know.  And a preemptive thanks to
> John - you've been a lot of help
>

See http://www.mandrakesecure.net/en/docs/samba-pdc.php for details in
getting samba running on an LDAP backend the easy way, and
http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php (not
totally complete yet) for adding in some cool features.

Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+3dJxrJK6UGDSBKcRAia0AJ4sqR+pjH+cu9f1YVtuKCgXqMe4iwCeOS99
yMeZmFDPQvMY134Ye1UOY5E=
=63VC
-----END PGP SIGNATURE-----

******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to info at cae.co.za for a copy.
******************************************************************

More information about the samba mailing list