[Samba] samba password hashes exposed to ldapsearch

Chuck Kollars ckollars9 at yahoo.com
Tue Jul 29 20:07:05 GMT 2008

> ... I see that the samba password hashes are shown with a simple 
> ldapsearch command. ...

I do not have this problem. My /etc/openldap/slapd.conf includes the lines at the end of this message. The passwords are not visible via ldapsearch, yet the Samba on the same machine can still access them (probably because it runs as "root"). 

(The lines also include a provision for syncrepl replication, which probably isn't relevant to Samba usage.)

-Chuck Kollars

### set up some restrictions to not make passwords visible
access to attrs=sambaLMPassword,sambaNTPassword,MMSNumber,userPassword
        by dn.exact="cn=ReplicateUser,dc=ipswichschools,dc=org" read
        by * auth
# Default read access to everything else
# (should be last to act as "default")
# (not optional - without this it doesn't work right)
access to *
        by * read


More information about the samba mailing list