[Samba] ldap password sync and RFC2307 hash schemes

Logan Shaw lshaw at emitinc.com
Fri Jun 30 17:57:45 GMT 2006 

Hey everyone,

I'm running Samba on Slackware 10.2.  As near as I can tell
based on looking at the glibc source, my options for Unix
passwords (in /etc/passwd, or LDAP -- same options) are these:

1.  crypt() with plain old, busted traditional hashing.
2.  crypt() with MD5 hashing, via $1$saltsalt$hashhashhashhash
     format; the crypt() function the special format and
     automatically uses the MD5 algorithm.

Obviously, out of the two, the second one is preferable.

So, I've configured smbldap-tools by putting the following
in smbldap.conf:

 	hash_encrypt="CRYPT"
 	crypt_salt_format="$1$%.8s"

So far, so good.  Running smbldap-passwd causes crypt()-style
MD5 passwords to go into userPassword attributes in LDAP, and
Unix users can login just fine.  The userPassword attributes
look like

 	{crypt}$1$saltsalt$hashhashhashhash

just as RFC 2307 says they should if they are using the crypt
hash scheme.

Now, here's the question:  how do I do the equivalent thing
for Samba?  How do I make Samba know it should use the crypt
scheme for userPassword?  If I put

 	ldap password sync = Yes

into smb.conf, then it is going to update userPassword
attributes, but how is it going to know that I need it to
use the crypt hash scheme?  Or does it send a plaintext
password and let the LDAP server take care of that?  Is this
a function of Samba or is it a function of the LDAP server?
For what it's worth, I'm using OpenLDAP.  I know if I use
the OpenLDAP program slappasswd, I can tell manually *it*
to generate passwords using the crypt scheme, but that's not
the same thing as what the LDAP server does when it receives
a password changing exop from Samba.

For now, I'm planning to "solve" this problem by putting

 	unix password sync = Yes
 	passwd program = /path/to/smbldap-passwd -u %u
 	passwd chat = (stuff appropriate for smbldap-passwd)

into smb.conf.  But this strikes me as a little ugly.  As I
understand it, smbldap-passwd changes LM and NT hashes, and so
does Samba, so when Samba is asked to change a user's password,
Samba is going to change LM and NT hashes, and then it's going
to call smbldap-passwd which is going to change them again.
I don't *know* of a reason why this is harmful, but it doesn't
seem very clean...

   - Logan

More information about the samba mailing list