[Samba] password ldap clarification requested...
Gémes Géza
geza at kzsdabas.sulinet.hu
Sun Feb 6 20:46:51 GMT 2005
Adam Tauno Williams írta:
>>I would like to know if the following statements are true, just to make
>>sure that my understanding of passwords/ldap stuff is correct...
>>Vampireing passwords from an nt4 pdc only populates the ldap server with
>>windows passwords, and not the (linux) userPassword.
>>
>>
>
>Yes.
>
>
>
>>Authenticating
>>linux logons against this ldap server is therefore only possible using
>>winbind.
>>
>>
>
>Not entirely true.
>
>
>
>>'Normal' ldap enabled software can NOT authenticate against this ldap,
>>because they expect a userPassword, and by simply vampireing this
>>password is left blank.
>>
>>
>
>Yes, but recent OpenLDAP servers support authenticating binds against a
>LANMAN hash.
>
>
>
And what could be more inetresting, you could have a Heimdal Kerberos
authenticating against the NT hash, see
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
for the details
>>The "ldap passwd sync = yes" smb.conf option makes sure that when
>>updating the 'windows' password (via idealx scripts, for example) the
>>(linux) userPassword get's updated as well.
>>
>>
>
>Yep, via password-modify extended operation.
>
>
>
>>So: suppose I migrate our domain to samba, and on the first samba day, I
>>set all accounts to 'required to change password upon first login' I
>>would end up having new passwords for everybody, both for windows and
>>linux.
>>
>>
>
>Yes.
>
>
>
>>And all normal ldap enabled software would then be able to use
>>that ldap directory to authenticate to.
>>
>>
>
>Yes.
>
>
>
>>Are these assumptions correct? Thanks very much for feedback.
>>
>>
>
>More or less.
>
>
Cheers Geza
More information about the samba
mailing list