[Samba] password ldap clarification requested...

Gémes Géza geza at kzsdabas.sulinet.hu
Sun Feb 6 20:46:51 GMT 2005


Adam Tauno Williams írta:

>>I would like to know if the following statements are true, just to make 
>>sure that my understanding of passwords/ldap stuff is correct...
>>Vampireing passwords from an nt4 pdc only populates the ldap server with 
>>windows passwords, and not the (linux) userPassword. 
>>    
>>
>
>Yes.
>
>  
>
>>Authenticating 
>>linux logons against this ldap server is therefore only possible using 
>>winbind.
>>    
>>
>
>Not entirely true.
>
>  
>
>>'Normal' ldap enabled software can NOT authenticate against this ldap, 
>>because they expect a userPassword, and by simply vampireing this 
>>password is left blank.
>>    
>>
>
>Yes, but recent OpenLDAP servers support authenticating binds against a
>LANMAN hash.
>
>  
>
And what could be more inetresting, you could have a Heimdal Kerberos 
authenticating against the NT hash, see
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
for the details

>>The "ldap passwd sync = yes" smb.conf option makes sure that when 
>>updating the 'windows' password (via idealx scripts, for example) the 
>>(linux) userPassword get's updated as well.
>>    
>>
>
>Yep, via password-modify extended operation.
>
>  
>
>>So: suppose I migrate our domain to samba, and on the first samba day, I 
>>set all accounts to 'required to change password upon first login' I 
>>would end up having new passwords for everybody, both for windows and 
>>linux. 
>>    
>>
>
>Yes.
>
>  
>
>>And all normal ldap enabled software would then be able to use 
>>that ldap directory to authenticate to.
>>    
>>
>
>Yes.
>
>  
>
>>Are these assumptions correct? Thanks very much for feedback.
>>    
>>
>
>More or less.
>  
>
Cheers Geza


More information about the samba mailing list