[Samba] Understanding ldap auth credentials
Adam Tauno Williams
awilliam at whitemice.org
Fri Mar 27 06:04:42 GMT 2009
On Thu, 2009-03-26 at 22:35 -0400, jeff sacksteder wrote:
> I'm try to create a single sign on configuration for a home
> fileserver, storing user accounts in the directory and using those
> credentials to authenticate Linux shell logins, server applications
> and PDC logins.
Not single sign on (that is Kerberos), but unified (one) login.
> It appears that the uid and SID are the only mandatory attributes, but
> I also see attributes for storing the passwd or pw hash. Is the passwd
> to be stored in the LDAP record twice - once as a posix pw and once as
> a domain pw?
No, three times. Your "UNIX" password crypt in userpassword and twice
for cifs: once as an NT hash (MD5?) and one as a LANMAN hash. It works
out fine - just change your passwords via Samba or use the standard
change-password extended operation [LDAP] with the smbk5 module and they
will all be updated simultaneously.
> Can't Samba just use the existing pw attribute?
> If I attempt to auth, check_ntlm_password returns
> NT_STATUS_WRONG_PASSWORD. Could that also result from not being able
> to find the appropriate pw attribute?
OpenGroupware developer: awilliam at whitemice.org
OpenGroupare & Cyrus IMAPd documenation @
More information about the samba