Re: Unix auth via LDAP & now need to add Samba!

[David Wright <ichbin@shadlen.org>]

I'm interested in using LDAP authentication for Samba, and eventually in
getting multi-user Windows machines using OpenLDAP for login
authentication, so I have a few fundamental questions on how this works.

There seem to be some knowledgeable readers in this thread, so here
goes...

1) smbPassword is stored in cleartext, right? If not, how can Samba do the
challenge-response authentication that Win2k and above expect?

2) Samba doesn't try to synch smbPassword and userPassword, right?
If it did, this would be a security violation, since the cleartext
version of my Unix password would be stored alongside the hashed version.
I assume users need to run passwd and smbpasswd seperately in order to
change the two passwords from a Unix box. Can they also change smbPassword
from a Windows client?

3) Suppose (horror horabilis) I were willing to give up the requirement
that Unix passwords are stored in hashed form. Could I get Windows clients
to authenticate off Unix passwords? I don't just mean for filesharing, but
for user login -- the idea would be to replace Active Directory. How would
this work in detail (i.e. do smbPassword and userPassword become a single
attribute? or do I need some funky pam_ldap module modifications to make
sure they are synched at all times?)