[Samba] Samba & (anonymous) LDAP Authentication

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Mar 30 07:45:34 MDT 2010

Unix and Windows/Samba servers both store passwords in a one-way 
encrypted format.  So when you authenticate to a server, you type in 
your password, the server encrypts it and compares it to the encrypted 
version it has it is password database.        This is is important 
since your encrypted password data may (legitimately or not)  be 
accessible to other people.  This is a separate from any network level 
encryption that may be used.  (For example, if you telnet into a server 
your password is stored in an encrypted format but the password is still 
transmitted in the clear.)

Unix and Windows use different password encryption methods which means 
that they have to have different encrypted passwords stored,  which 
means the users have to have different passwords.    (Unix uses things 
like CRYPT or MD5.)   You can have unix use the windows password via 
Winbindd.   However to have  Windows/Samba use the unix password (which 
is what you want) you would have to configure samba to disable the 
password encryption (which is what you don't want.)    I am not sure the 
exact syntax and I am pretty sure if is strongly discouraged.

As far as I know, you can not use Windows password encryption routines 
for the unix passwords directly.

On 03/29/2010 07:16 PM, Robert Heller wrote:
> At Mon, 29 Mar 2010 17:38:39 -0400 gaiseric.vandal at gmail.com wrote:
>> According to how you have described your environment, whether or not you
>> use LDAP for Samba's backend, your users will still need corresponding
>> unix accounts AND will still have separate unix and windows
>> passwords.    If you use ldap there will be separate fields for the
>> different passwords.     If you configure password sync it should appear
>> to the users that they have a single password.   (i.e. they change the
>> password in Windows or with smbpassword the unix password should also
>> change.)
>> If you really want a single password I think your options are as follows-
>>       Configure unix logons  to use windbind authentication (ie.
>> authenticate using the samba/windows password.)
>>       Use kerberos for unix and samba.
>> But that may not resolve your concerns with Samba writing to LDAP.
>> So if you only have one samba machine  and only a few users you may
>> still want to stick to the TDB backend for the windows account info.
>> Samba will still match the unix name to the windows name either way.
> OK, it looks like that is what I am stuck with.  I only *really* need
> one or two users -- it is only for dealing with backups and posting some
> files.  This seems to work I will just have to live with the potiental
> issues of possible differing passwords if/when that happens -- it is
> only two usernames at present.
> Question: why can't samba just use UNIX's user authentication?  Is this
> something in the way MS-Windows encrypts the password it sends over the
> NetBIOS protocol?  Or is there some other issue going on?

More information about the samba mailing list