[Samba] Samba & (anonymous) LDAP Authentication
gaiseric.vandal at gmail.com
Tue Mar 30 07:45:34 MDT 2010
Unix and Windows/Samba servers both store passwords in a one-way
encrypted format. So when you authenticate to a server, you type in
your password, the server encrypts it and compares it to the encrypted
version it has it is password database. This is is important
since your encrypted password data may (legitimately or not) be
accessible to other people. This is a separate from any network level
encryption that may be used. (For example, if you telnet into a server
your password is stored in an encrypted format but the password is still
transmitted in the clear.)
Unix and Windows use different password encryption methods which means
that they have to have different encrypted passwords stored, which
means the users have to have different passwords. (Unix uses things
like CRYPT or MD5.) You can have unix use the windows password via
Winbindd. However to have Windows/Samba use the unix password (which
is what you want) you would have to configure samba to disable the
password encryption (which is what you don't want.) I am not sure the
exact syntax and I am pretty sure if is strongly discouraged.
As far as I know, you can not use Windows password encryption routines
for the unix passwords directly.
On 03/29/2010 07:16 PM, Robert Heller wrote:
> At Mon, 29 Mar 2010 17:38:39 -0400 gaiseric.vandal at gmail.com wrote:
>> According to how you have described your environment, whether or not you
>> use LDAP for Samba's backend, your users will still need corresponding
>> unix accounts AND will still have separate unix and windows
>> passwords. If you use ldap there will be separate fields for the
>> different passwords. If you configure password sync it should appear
>> to the users that they have a single password. (i.e. they change the
>> password in Windows or with smbpassword the unix password should also
>> If you really want a single password I think your options are as follows-
>> Configure unix logons to use windbind authentication (ie.
>> authenticate using the samba/windows password.)
>> Use kerberos for unix and samba.
>> But that may not resolve your concerns with Samba writing to LDAP.
>> So if you only have one samba machine and only a few users you may
>> still want to stick to the TDB backend for the windows account info.
>> Samba will still match the unix name to the windows name either way.
> OK, it looks like that is what I am stuck with. I only *really* need
> one or two users -- it is only for dealing with backups and posting some
> files. This seems to work I will just have to live with the potiental
> issues of possible differing passwords if/when that happens -- it is
> only two usernames at present.
> Question: why can't samba just use UNIX's user authentication? Is this
> something in the way MS-Windows encrypts the password it sends over the
> NetBIOS protocol? Or is there some other issue going on?
More information about the samba