[Samba] "ldap passwd sync" and shadow attributes

Andreas ahasenack at terra.com.br
Wed Nov 2 11:59:06 GMT 2005


On Wed, Nov 02, 2005 at 01:18:07PM +1100, Andrew Bartlett wrote:
> > Are you asking the LDAP server to change the password, or are you changing
> > it yourself? It sounds like the former, and if that's the case then the
> > server should definitely be updating the shadow stuff.
> 
> We call the openldap password change control, giving it the new
> plaintext.  The LDAP server should do something sensible with it.

Even if it could, it doesn't help much because samba still needs access
to the samba password hashes. It (samba) doesn't bind to the directory
with the user credentials, does it? It binds as the admin dn, fetches
the samba hashes and decides for itself if the user password is correct
or not.
This two-password-schemes (samba hashes and userPassword) is the whole
problem. And then there are also different password policies out there
for linux (shadow) and samba. So, this makes us store duplicate
information.


More information about the samba mailing list