[Samba] password ldap clarification requested...

Heupink, Mourik Jan C. Heupink at INTECH.UNU.EDU
Mon Feb 7 11:43:57 GMT 2005 

thanks very much for the replies. this helps!

and for the Heimdal Kerberos stuff: I'm very much trying to stick to the
KISS principle, so that might be something for later. :)

Thanks,
mourik jan

> -----Original Message-----
> From: Gémes Géza [mailto:geza at kzsdabas.sulinet.hu] 
> Sent: 06 February 2005 21:47
> To: awilliam at whitemice.org
> Cc: mourik jan c heupink; samba at lists.samba.org
> Subject: Re: [Samba] password ldap clarification requested...
> 
> 
> Adam Tauno Williams írta:
> 
> >>I would like to know if the following statements are true, just to 
> >>make
> >>sure that my understanding of passwords/ldap stuff is correct...
> >>Vampireing passwords from an nt4 pdc only populates the 
> ldap server with 
> >>windows passwords, and not the (linux) userPassword. 
> >>    
> >>
> >
> >Yes.
> >
> >  
> >
> >>Authenticating
> >>linux logons against this ldap server is therefore only 
> possible using 
> >>winbind.
> >>    
> >>
> >
> >Not entirely true.
> >
> >  
> >
> >>'Normal' ldap enabled software can NOT authenticate against 
> this ldap,
> >>because they expect a userPassword, and by simply vampireing this 
> >>password is left blank.
> >>    
> >>
> >
> >Yes, but recent OpenLDAP servers support authenticating 
> binds against a 
> >LANMAN hash.
> >
> >  
> >
> And what could be more inetresting, you could have a Heimdal Kerberos 
> authenticating against the NT hash, see 
> https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
> for the details
> 
> >>The "ldap passwd sync = yes" smb.conf option makes sure that when
> >>updating the 'windows' password (via idealx scripts, for 
> example) the 
> >>(linux) userPassword get's updated as well.
> >>    
> >>
> >
> >Yep, via password-modify extended operation.
> >
> >  
> >
> >>So: suppose I migrate our domain to samba, and on the first 
> samba day, 
> >>I
> >>set all accounts to 'required to change password upon first 
> login' I 
> >>would end up having new passwords for everybody, both for 
> windows and 
> >>linux. 
> >>    
> >>
> >
> >Yes.
> >
> >  
> >
> >>And all normal ldap enabled software would then be able to use
> >>that ldap directory to authenticate to.
> >>    
> >>
> >
> >Yes.
> >
> >  
> >
> >>Are these assumptions correct? Thanks very much for feedback.
> >>    
> >>
> >
> >More or less.
> >  
> >
> Cheers Geza
>

More information about the samba mailing list