[Samba] update encypted and LDAP

[John H Terpstra]

On Tue, 10 Jun 2003, Martin Sapsed wrote:

> Andrew Bartlett wrote:
> > On Tue, 2003-06-10 at 02:13, Martin Sapsed wrote:
> >
> >>Hello all,
> >>
> >>I'm currently trying out samba-3.0alpha24 and moving to samba-3.0.0beta1
> >>since we're getting into XP and encrypted passwords etc. I was hoping to
> >>set everyone (about 13,000 users) up on an LDAP (openLDAP) server with
> >>just the Unix crypt passwords for now and run with
> >>
> >>encrypt passwords = no
> >>update encrypted = yes
> >>
> >>for a while to populate the NT/LM password hashes before going over to
> >>encrypted passwords for everyone. (Most clients are Win 9x using plain
> >>text passwords against NIS at the moment.)
> >>
> >> From what I can see and have gathered from some searching, it looks
> >>like "update encrypted" only works with an smbpasswd file. Is this the
> >>case?
> >
> > The code routines call the passdb backend, whatever that may be.
>
> Testing a bit further seems to suggest that
>
> encrypt passwords = no
>
> doesn't work at all if you're using
>
> passdb backend = ldapsam:ldap://..., guest
>
> in 3.0alpha24. Is this a bug or a feature? ;-)

It's a feature. You can not have domain membership with plain text
passwords. The purpose of the LDAP based SAM is to enable full NT style
account data (including MS encrypted passwords) to be stored in a suitable
scalable backend.

If you really must use plain text passwords you can use an LDAP backend
for your Unix system accounts but your "passdb backend" entry should have
"guest", but accessing of the LDAP backend will need to be done at the OS
level. ie: Do NOT put ldapsam in the passdb backend line in your smb.conf.

PS: It is a very bad idea to use plain text passwords - it is insecure and
no longer supported well by Microsoft. Use of plain text passwords will
lead to operational problems and user complaints.

- John T.
-- 
John H Terpstra
Email: jht at samba.org