[Samba] update encypted and LDAP - solution

Martin Sapsed m.sapsed at bangor.ac.uk
Mon Jun 16 15:35:03 GMT 2003

Martin Sapsed wrote:
> I'm currently trying out samba-3.0alpha24 and moving to samba-3.0.0beta1 
> since we're getting into XP and encrypted passwords etc. I was hoping to 
> set everyone (about 13,000 users) up on an LDAP (openLDAP) server with 
> just the Unix crypt passwords for now and run with
> encrypt passwords = no
> update encrypted = yes
> for a while to populate the NT/LM password hashes before going over to 
> encrypted passwords for everyone. (Most clients are Win 9x using plain 
> text passwords against NIS at the moment.)
>  From what I can see and have gathered from some searching, it looks 
> like "update encrypted" only works with an smbpasswd file. Is this the 
> case? If so, has anyone out there tried living with a 13,000 line 
> smbpasswd file for any length of time??

I'm answering my own question since nobody else got quite the right 
answer although Tom Crummey put me thinking along the right lines.

If you have

  passdb backend = ldapsam:ldap://..., guest
  encrypt passwords = yes

then the Microsoft encrypted passwords stored in LDAP are used and 
obviously this is the preferred solution for security and co-operation 
from windows 2000 and XP etc.

If, however, you have

  passdb backend = ldapsam:ldap://..., guest
  encrypt passwords = no
  update encrypted = yes

then the authentication check is against whatever authentication 
mechanism the underlying machine is using (in my case NIS but could be 
PAM etc) but the update encrypted flag causes the NT/LM passwords in 
LDAP to be updated. My mistake was to assume that if you used ldapsam: 
then authentication was against LDAP - the userid I was testing with had 
a different crypt password in LDAP to what was in NIS.

Thanks to Tom for pointing me right. Apologies to John Terpstra if my 
last reply to him was a bit terse!

Keep up the good work, team...



Martin Sapsed				
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

More information about the samba mailing list