ldap gina
Andrew Bartlett
abartlet at pcug.org.au
Sat Mar 9 14:57:03 GMT 2002
Osama Dengler wrote:
>
> Am 7 Mar 2002 um 17:57 Uhr schrieb Andrew Bartlett zum Thema Re: ldap gina:
> Dazu meine Meinung:
>
> > I really don't see what this gains you (apart from a *lot* of work) over
> > just running Samba as a PDC on an LDAP backend. That way you don't
> > need to worry about undocumented SAMR interfaces, as samba already
> > handles all that.
> >
> > You are going to need NT and LM hashes in your LDAP directory the moment
> > you want to do a file-share connect anyway (not needing these being the
> > main reason I can see for doing this).
>
> Well, running samba as PDC w/ LDAP SAM doesn't solve the problem of
> unix / NT password synchronisation if you don't use winbind.
I don't see how you come to this conclusion. Have you attemtped to use
the 'unix password sync' smb.conf option? Or ran pam_smbpass on the
PDC?
Personally, I use pam_winbind and pam_krb5 to keep my two password
databases in sync - it works quite well actaully.
> As winbind is
> not an option in many environments.
Which environments? I know of (and we are working on) the NFS case, but
what others?
> I'm thinking of a different way of
> synchronizing the passwords. The idea is to make NT use the unix password
> instead of changing the unix auth subsystem. That is the main reason for
> the effort I spent in LdapLsaAp.
I really don't think this can actually work for anything more than the
inital logon prompt, but I would be glad to be proved otherwise.
> Another scenario are the many sites where not even LDAP is an option but
> p.e. NIS is used for unix authentication. Once LdapLsaAp is running, it could
> easily be used as a framework for other ways of authentication apart from
> LDAP.
>
> The other thing I'm currently trying is to write a NT password filter DLL that
> is responsible for keeping the passwords in sync. This should probably be
> easier than a complete authentication package. However, I've tried this
> some time ago and it didn't work because the DLL was never being called
> although everything was set up correctly. I'll give this another try.
>
> I don't know enough about how a fileshare connection is made between Windows
> systems. The authentication package documentation mentions "network logons".
> I assumed this to be the mechanism that is used for fileshare connections. If
> the SAM is directly queried there is obviously a problem with LdapLsaAp and we
> might need a full security package.
The file-share connections use the NTLM challange-response mechinism -
therefore the minimum requirement is that you are able to process an
NTLM challange-response pair. This means that you *must* store either
the cleartext password or the NT and LM hashes.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list