[Samba] update encypted and LDAP
m.sapsed at bangor.ac.uk
Fri Jun 13 11:44:30 GMT 2003
John H Terpstra wrote:
> On Tue, 10 Jun 2003, Martin Sapsed wrote:
>>Testing a bit further seems to suggest that
>>encrypt passwords = no
>>doesn't work at all if you're using
>>passdb backend = ldapsam:ldap://..., guest
>>in 3.0alpha24. Is this a bug or a feature? ;-)
> It's a feature. You can not have domain membership with plain text
> passwords. The purpose of the LDAP based SAM is to enable full NT style
> account data (including MS encrypted passwords) to be stored in a suitable
> scalable backend.
I *know* that, but at the moment we're mostly still on 9x using Plain
text passwords and NIS. We've got a few machines running XP and 2000 and
using smb.conf.%m files I've got them set to use encrypted passwords in
an smbpasswd file containing the MS encrypted passwords for the relevant
We now want to start planning on migrating to perhaps XP and gathering
the MS passwords for all 13,000 users. I thought it would be healthier
to do with with the information on an LDAP server rather than having
13,000 lines in an smbpasswd file!
> If you really must use plain text passwords you can use an LDAP backend
> for your Unix system accounts but your "passdb backend" entry should have
> "guest", but accessing of the LDAP backend will need to be done at the OS
> level. ie: Do NOT put ldapsam in the passdb backend line in your smb.conf.
> PS: It is a very bad idea to use plain text passwords - it is insecure and
> no longer supported well by Microsoft.
I know that too.
> Use of plain text passwords will
> lead to operational problems and user complaints.
but those problems are small compared to switching one day to an
LDAP/encrypted password service with very few usable passwords in it. I
think it's safe to say that that would result in "operational problems"
and one helluva lot of user complaints!
I believe that using "update encrypted = yes" to populate the NT/LM
passwords in our new LDAP database would be the best solution to our
particular problem, unless you can suggest a better one John, or anyone
P.S. why is the word encrypted so hard to type correctly?? ;-)
Information Services "Who do you say I am?"
University of Wales, Bangor Jesus of Nazareth
More information about the samba