[Samba] password ldap clarification requested...

Adam Tauno Williams awilliam at whitemice.org
Sun Feb 6 20:14:05 GMT 2005

> I would like to know if the following statements are true, just to make 
> sure that my understanding of passwords/ldap stuff is correct...
> Vampireing passwords from an nt4 pdc only populates the ldap server with 
> windows passwords, and not the (linux) userPassword. 


> Authenticating 
> linux logons against this ldap server is therefore only possible using 
> winbind.

Not entirely true.

> 'Normal' ldap enabled software can NOT authenticate against this ldap, 
> because they expect a userPassword, and by simply vampireing this 
> password is left blank.

Yes, but recent OpenLDAP servers support authenticating binds against a
LANMAN hash.

> The "ldap passwd sync = yes" smb.conf option makes sure that when 
> updating the 'windows' password (via idealx scripts, for example) the 
> (linux) userPassword get's updated as well.

Yep, via password-modify extended operation.

> So: suppose I migrate our domain to samba, and on the first samba day, I 
> set all accounts to 'required to change password upon first login' I 
> would end up having new passwords for everybody, both for windows and 
> linux. 


> And all normal ldap enabled software would then be able to use 
> that ldap directory to authenticate to.


> Are these assumptions correct? Thanks very much for feedback.

More or less.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050206/c9221d2a/attachment.bin

More information about the samba mailing list