[Samba] Understanding ldap auth credentials
Axel Werner
mail at awerner.homeip.net
Mon Mar 30 07:04:32 GMT 2009
Am 27.03.2009 07:04, Adam Tauno Williams schrieb:
>> It appears that the uid and SID are the only mandatory attributes, but
>> I also see attributes for storing the passwd or pw hash. Is the passwd
>> to be stored in the LDAP record twice - once as a posix pw and once as
>> a domain pw?
>>
>
> No, three times. Your "UNIX" password crypt in userpassword and twice
> for cifs: once as an NT hash (MD5?) and one as a LANMAN hash. It works
> out fine - just change your passwords via Samba or use the standard
> change-password extended operation [LDAP] with the smbk5 module and they
> will all be updated simultaneously.
>
>
Master-Question:
What if you got MIXED Users? Say Users working on the Linux console (via
SSH) and Users who work at Windows PCs (connected via Samba) and you
want to maintain only ONE Account-Database and you want to make sure
that the Users Passwords are consistent at ALL TIME. and OF COURSE you
want to ensure that users use strong passwords (complexity check like
pam_cracklib provides it), that users dont use passworts multiple times
(PW history) and password aging. Of course the Users must be allowed to
change their passwords whereever they are (windows side and console
side). Also the Users are to be forced to change their password on their
first login or if their admin has reseted their passwords.
How to achive that ?? This isnt some "fantasy" Scenario. this should be
a every day scenario for all networks. solved in novell netware/nds and
microsoft windows Server. Also solved in Linux/Opensource ???
Will still Kerberos solve this Scenario ?
More information about the samba
mailing list