[Samba] "ldap passwd sync" and shadow attributes

Eric A. Hall ehall at ehsco.com
Wed Nov 2 16:52:05 GMT 2005

On 11/2/2005 6:59 AM, Andreas wrote:

> Even if it could, it doesn't help much because samba still needs access
> to the samba password hashes. It (samba) doesn't bind to the directory
> with the user credentials, does it? It binds as the admin dn, fetches
> the samba hashes and decides for itself if the user password is correct
> or not.

Right. You can't bind-as-user if you don't know the password. And since
LM/NT passwords are stored and relayed as hashes of the password, the
password is not known (or reversible).

I suppose that if the user needed SMB authentication (only), then it might
be feasible to use the hashes as an LDAP password, as a substitute for the
userPassword attribute essentially. This might even work for PAM-based
authentication systems that can use a plugin to convert the user-provided
password to an LM/NT hash. I might look into this more later but I don't
think it would prove to be usable as a general strategy.

Another option is to change the Windows systems so they use a different
authentication system, using http://pgina.xpasystems.com perhaps. I
haven't looked at that stuff yet, but my guess is that it only affects
login access and that SMB access will still need LM/NT authentication.

Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

More information about the samba mailing list