[Samba] Questions about Active Directory Password Cache overlay

Wes Modes wmodes at ucsc.edu
Mon Apr 7 18:22:59 GMT 2008

Thanks to Buchan Milne, I'm looking into the Active Directory Password 
Cache overlay for OpenLDAP, which seems to offer more or less what I'm 
trying to do.  Is anyone here experienced with it?  Is this the right 
place to ask or is there an openLDAP overlays list?

I understand this description of ADPC:

    Active Directory Password Cache

    Active Directory does not provide any means to read user credentials on any
    API. It is possible, to install additional libraries as password sniffer to
    catch and forward cleartext passwords on changes. In case you cannot or simply
    want to install such libraries, the Active Directory Password Cache overlay
    is your option.

    The Active Directory Password Cache overlay allows to mirror user account
    credentials without any modification on the AD server. It only takes one
    occasional simple bind authentication against the OpenLDAP server.

    If the credential has not been mirrored yet, the overlay uses the
    and the password provided by the user to perform a Kerberos init against the
    Active Directory. A successful Kerberos init guarantees a correct password for
    this principal, and therefor the bind finally succeeds.

    Within this overlay operation, the password gets encrypted with the default
    OpenLDAP hash alorithm and stored as userPassword attribute. There is an option
    to update the sambaNTPassword also (using code borrowed from Howard Chu's
    smbk5pwd overlay). All following simple bind authentications will first try
    these cached credentials, making the OpenLDAP server independent from AD.

    In case the user changes its password on the Active Directory server, the old
    password stays valid in OpenLDAP until the user first presents the new password
    for an simple bind. Within this bind operation, the overlay performs another
    Kerberos init and updates the cached credentials in OpenLDAP.

It is clear to me that after a password change, that a failure to 
authenticate initiates a new auth attempt against the KDC, and if it 
succeeds, ADPC caches the passwd as a hash in OpenLDAP.  But if Samba 
fails to authenticate against the hash stored in sambaNTPassword, is a 
new authentication attempt made against the KDC?  And if it does, where 
does it get the passwd to hash (since Samba never gets the passwd in 
NTLM authentication)?

Practically speaking, it seems that the password that the overlay hashes 
has to come from a source other than Samba.  A web app?  How have people 
used it in the past? 



Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services

More information about the samba mailing list