[Samba] pGINA and samba - authentication against LDAP userPassword field?

Rubin Bennett rbennett at thatitguy.com
Mon Dec 15 14:41:44 GMT 2008

On Mon, 2008-12-15 at 14:23 +0000, J Xu wrote:
> Hi,
> Back to a while ago, someone mentioned about taking pGINA code to samba, so samba can work against LDAP authentication, but instead of using the sambaNTPassword and sambaLMPassword, this way samba can use the userPassword field directly.
> This sounds very promissing because we can then just use one set of passwords. It may be not usable in a domain enviroment where machine accounts and other complex stuff are difficult to hand. But it is perfectly okey for a single linux machine in a workgroup mode. It can even provides user authentication to other Windows box with pGINA installed and configured.
> Here is the original thread discussed about this:
>   http://lists.samba.org/archive/samba/2005-March/101660.html
> I am wondering where the samba team currently stand for this issue? Or is there anyone else interterested in this?
There's a project that does something like this called smbk5pwd.

Background:  We've deployed LDAP as the authentication backend for a
mixed environment: Samba DC, Windows XP workstations and LTSP server.
The logon credentials are the same across environments (i.e. 'userx' can
log in to both Windows workstations and LTSP clients).
We wanted our users to be able to update their passwords from either
environment; the Samba password change (i.e. on a Windows workstation)
works fine - the ldap server updates both the md5 hash and the NTLM hash
in the LDAP directory for that user.
We wanted similar functionality in the LTSP environment.  We found and
tried for a time to deploy smbk5pwd but have so far been unsuccessful.
That project seems like the most reasonable way to get where you are
wanting to get however... dimming the security, or adding functionality
that will certainly and spectacularly break other components of Samba
seems like a bad idea.
I would recommend contacting the smbk5pwd folks and see what they have
to say.

Hope that helps,

> Thanks,
> JX
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
Rubin Bennett
rbTechnologies, LLC
80 Carleton Boulevard
East Montpelier, VT 05651


"Think for yourselves and let others enjoy the privilege to do so too."
  Voltaire, Essay on Tolerance
  French author, humanist, rationalist, & satirist (1694 - 1778)

More information about the samba mailing list