[Samba] ldap authentication fails
Gordon Messmer
yinyang at eburg.com
Tue Jan 24 03:07:52 GMT 2006
Andy Kesterson wrote:
>
> The problem that we are having is when Samba has the "encrypt
> passwords" option is enabled, we recieve an "session setup failed:
> NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is disabled
> the login is succesful.
...
> We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing function.
When "encrypt passwords" is disabled, and the client is appropriately
configured, the client will establish a session by sending its username
and password, both in plain text. With the plain text password from the
client, the server can use PAM to authenticate the user.
However, if you don't want to reconfigure all of your Windows desktops,
and you don't want your passwords sent across the network in plain text
for each connection, you should have "encrypt passwords" turned on. In
this configuration, the client and server engage in a challenge-response
conversation to authenticate the users. To do that, the server needs to
have the plain-text equivalent of the user's password. If you had a
smbpasswd file before converting to LDAP, you can use that to get the
values that you need. If not, then you'll need all of your users to set
their password. However you choose to solve that problem, you need to
make sure that in addition to the "userPassword" attribute, each user
has a "sambaLMPassword" and a "sambaNTPassword" attribute. The values
for those two attributes can be formed using the "mkntpwd" program, if
you want to script the password changes.
Be careful to configure your LDAP server such that users can not read
the sambaLMPassword and sambaNTPassword attributes from the server.
Those values are plain-text equivalents, and could be used to log in as
the user to whom they belong.
More information about the samba
mailing list