[Samba] Convert ssha password to sambaNTpassword?

[Scott Lovenberg]

Matt Richardson wrote:
> Is it possible to take a SSHA password from an ldif and create a 
> proper sambaNTpassword from it?  Here's the scenario:  the ldap 
> servers in our organization do not have the samba schema installed and 
> the likelihood of that happening is slim.  I still want to provide 
> clients with as close to a single sign on solution as possible and I 
> can get an ldif of the accounts I need.  However, the password field 
> is SSHA and I will still need to generate sambaLMpassword and 
> sambaNTpasswd fields (along with the rest, but that part is a wrapper 
> script around smbldap-utils away.)  There is a remote possibility of 
> getting these hashes generated by an Identity Management Server, which 
> would make the problem go away.     The IDM solution is remote, as the 
> admin for it is already overworked, so parsing an ldif seems to be the 
> best solution at the moment.
>
> Any suggestions would be appreciated.
>
Are PAM modules a viable route and/or one that you'd consider?  I have 
no idea how it would work, but it seems to me that it's a good loosely 
coupled interface from both sides of the problem.  To be honest, I run 
Slackware and PAM isn't included as Patric V. strong believes PAM is a 
security risk, so I can't comment on how easy an implementation might be 
as I've only toyed with it on a few occasions.  I know, however, that 
Samba uses PAM for syncing the passwd/shadow files, so there must be 
some sort of interfacing capabilities native to Samba.