[Samba] Understanding ldap auth credentials

Adam Tauno Williams awilliam at whitemice.org
Fri Mar 27 06:04:42 GMT 2009

On Thu, 2009-03-26 at 22:35 -0400, jeff sacksteder wrote:
> I'm try to create a single sign on configuration for a home
> fileserver, storing user accounts in the directory and using those
> credentials to authenticate Linux shell logins, server applications
> and PDC logins.

Not single sign on (that is Kerberos), but unified (one) login.

> It appears that the uid and SID are the only mandatory attributes, but
> I also see attributes for storing the passwd or pw hash. Is the passwd
> to be stored in the LDAP record twice - once as a posix pw and once as
> a domain pw? 

No, three times.  Your "UNIX" password crypt in userpassword and twice
for cifs: once as an NT hash (MD5?) and one as a LANMAN hash.  It works
out fine - just change your passwords via Samba or use the standard
change-password extended operation [LDAP] with the smbk5 module and they
will all be updated simultaneously.

> Can't Samba just use the existing pw attribute?


> If I attempt to auth, check_ntlm_password returns
> NT_STATUS_WRONG_PASSWORD. Could that also result from not being able
> to find the appropriate pw attribute?

OpenGroupware developer: awilliam at whitemice.org
OpenGroupare & Cyrus IMAPd documenation @

More information about the samba mailing list