[Date Prev][Date Next]
Re: Unix auth via LDAP & now need to add Samba!
>I'm interested in using LDAP authentication for Samba, and eventually in
>getting multi-user Windows machines using OpenLDAP for login
>authentication, so I have a few fundamental questions on how this works.
>There seem to be some knowledgeable readers in this thread, so here
>1) smbPassword is stored in cleartext, right?
>If not, how can Samba do the challenge-response authentication that
>Win2k and above expect?
The same way NT, Win2K and XP (the official OS of Angamandi) do. They
use a generated response from the NT hash. Same way M$-CHAP v2 works.
>2) Samba doesn't try to synch smbPassword and userPassword, right?
No, unless you tell it to, then it does.
>If it did, this would be a security violation, since the cleartext
>version of my Unix password would be stored alongside the hashed version.
No, there are no cleartext password unless you setup your userpasswd
attribute that way.
>I assume users need to run passwd and smbpasswd seperately in order to
>change the two passwords from a Unix box.
Users can run them seperately. Or you can have Samba maintain sync when
a user calls smbpasswd.
>Can they also change smbPassword
>from a Windows client?
Yes, the "Change password" button on Win9x, NT, Y2k, and I assume XP,
works. It is the *EXACT* same effect as a user changing their password
>3) Suppose (horror horabilis) I were willing to give up the requirement
>that Unix passwords are stored in hashed form. Could I get Windows clients
>to authenticate off Unix passwords? I don't just mean for filesharing, but
>for user login -- the idea would be to replace Active Directory.
No, you can't. Not without building your own GINA and a cobweb of other
little chunks of code. Samba works as an NT Domain controller, not as
an AD. But it can be an NT PDC with an LDAP backend.
>How would this work in detail (i.e. do smbPassword and userPassword
>become a single>attribute?
No. userpasswd and ntpassword and lmpassword all employ different
encryption mechanisms and requirements.
>or do I need some funky pam_ldap module modifications to make
There is both a PAM and an NSS module that come with Samba for auth-ing
against either a Samba PDC or a "real" NT PDC. I wouldn't call them
"funky", it is just standard PAM type stuff. I prefer to use NSS
straight to LDAP on UNIX clients, but I've use both pam_ldap and the
Samba PAM module, both work fine for authentication. If you use the
Samba PAM module you can ditch userpasswd entirely. But pam_ldap does
offer some nice functionality that going through Samba looses (per host