[Samba] Understanding ldap auth credentials

Axel Werner mail at awerner.homeip.net
Mon Mar 30 07:04:32 GMT 2009

Am 27.03.2009 07:04, Adam Tauno Williams schrieb:
>> It appears that the uid and SID are the only mandatory attributes, but
>> I also see attributes for storing the passwd or pw hash. Is the passwd
>> to be stored in the LDAP record twice - once as a posix pw and once as
>> a domain pw? 
> No, three times.  Your "UNIX" password crypt in userpassword and twice
> for cifs: once as an NT hash (MD5?) and one as a LANMAN hash.  It works
> out fine - just change your passwords via Samba or use the standard
> change-password extended operation [LDAP] with the smbk5 module and they
> will all be updated simultaneously.


What if you got MIXED Users? Say Users working on the Linux console (via 
SSH) and Users who work at Windows PCs (connected via Samba) and you 
want to maintain only ONE Account-Database and you want to make sure 
that the Users Passwords are consistent at ALL TIME. and OF COURSE you 
want to ensure that users use strong passwords (complexity check like 
pam_cracklib provides it), that users dont use passworts multiple times 
(PW history) and password aging. Of course the Users must be allowed to 
change their passwords whereever they are (windows side and console 
side). Also the Users are to be forced to change their password on their 
first login or if their admin has reseted their passwords.

How to achive that ?? This isnt some "fantasy" Scenario. this should be 
a every day scenario for all networks. solved in novell netware/nds  and 
microsoft windows Server. Also solved in Linux/Opensource ???

Will still Kerberos solve this Scenario ?

More information about the samba mailing list