[Samba] ldap password sync and RFC2307 hash schemes

Logan Shaw lshaw at emitinc.com
Fri Jun 30 21:31:17 GMT 2006

On Fri, 30 Jun 2006, Logan Shaw wrote:
> I'm running Samba on Slackware 10.2.  As near as I can tell
> based on looking at the glibc source, my options for Unix
> passwords (in /etc/passwd, or LDAP -- same options) are these:
> 1.  crypt() with plain old, busted traditional hashing.
> 2.  crypt() with MD5 hashing, via $1$saltsalt$hashhashhashhash
>    format; the crypt() function the special format and
>    automatically uses the MD5 algorithm.

> Now, here's the question:  how do I do the equivalent thing
> for Samba?  How do I make Samba know it should use the crypt
> scheme for userPassword?  If I put
> 	ldap password sync = Yes
> into smb.conf, then it is going to update userPassword
> attributes, but how is it going to know that I need it to
> use the crypt hash scheme?  Or does it send a plaintext
> password and let the LDAP server take care of that?  Is this
> a function of Samba or is it a function of the LDAP server?

To answer my own question, the answer seems to be that Samba
will do an exop (extended operation) when talking to the LDAP
server and will ask it to change the password.  That means
I can have the OpenLDAP server select the correct password
hashing scheme by putting this into slapd.conf:

 	password-hash {CRYPT}
 	password-crypt-salt-format "$1$%.8s"

In other words, slapd.conf has very similar options to what
I had put into smbldap.conf.

(Now, if I could only figure out why sometimes ldappasswd,
which triggers a password exop, causes my password to get
reset to "*".  But that's another battle, I think...)

   - Logan

More information about the samba mailing list