[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix auth via LDAP & now need to add Samba!

To: David Wright <ichbin@shadlen.org>
Subject: Re: Unix auth via LDAP & now need to add Samba!
From: Adam Williams <awilliam@whitemice.org>
Date: 30 Apr 2002 16:31:24 -0400
Cc: libogen@hotmail.com, OpenLDAP Mailling List <openldap-software@OpenLDAP.org>
In-reply-to: <Pine.LNX.4.44.0204301111560.12135-100000@monk.shadlen.org>
References: <Pine.LNX.4.44.0204301111560.12135-100000@monk.shadlen.org>

>I'm interested in using LDAP authentication for Samba, and eventually in
>getting multi-user Windows machines using OpenLDAP for login
>authentication, so I have a few fundamental questions on how this works.
>There seem to be some knowledgeable readers in this thread, so here
>goes...
>1) smbPassword is stored in cleartext, right? 

No.

>If not, how can Samba do the challenge-response authentication that
>Win2k and above expect?

The same way NT, Win2K and XP (the official OS of Angamandi) do.  They
use a generated response from the NT hash.  Same way M$-CHAP v2 works.

>2) Samba doesn't try to synch smbPassword and userPassword, right?

No, unless you tell it to, then it does.

>If it did, this would be a security violation, since the cleartext
>version of my Unix password would be stored alongside the hashed version.

No,  there are no cleartext password unless you setup your userpasswd
attribute that way.

>I assume users need to run passwd and smbpasswd seperately in order to
>change the two passwords from a Unix box. 

Users can run them seperately.  Or you can have Samba maintain sync when
a user calls smbpasswd.

>Can they also change smbPassword
>from a Windows client?

Yes, the "Change password" button on Win9x, NT, Y2k, and I assume XP,
works.  It is the *EXACT* same effect as a user changing their password
via smbpasswd.

>3) Suppose (horror horabilis) I were willing to give up the requirement
>that Unix passwords are stored in hashed form. Could I get Windows clients
>to authenticate off Unix passwords? I don't just mean for filesharing, but
>for user login -- the idea would be to replace Active Directory. 

No, you can't.  Not without building your own GINA and a cobweb of other
little chunks of code.  Samba works as an NT Domain controller, not as
an AD.  But it can be an NT PDC with an LDAP backend.

>How would this work in detail (i.e. do smbPassword and userPassword 
>become a single>attribute? 

No. userpasswd and ntpassword and lmpassword all employ different
encryption mechanisms and requirements.

>or do I need some funky pam_ldap module modifications to make

There is both a PAM and an NSS module that come with Samba for auth-ing
against either a Samba PDC or a "real" NT PDC.  I wouldn't call them
"funky",  it is just standard PAM type stuff.  I prefer to use NSS
straight to LDAP on UNIX clients,  but I've use both pam_ldap and the
Samba PAM module,  both work fine for authentication.  If you use the
Samba PAM module you can ditch userpasswd entirely.  But pam_ldap does
offer some nice functionality that going through Samba looses (per host
authorization, etc...)

Follow-Ups:
- Re: Unix auth via LDAP & now need to add Samba!
  - From: David Wright <ichbin@shadlen.org>

References:
- Re: Unix auth via LDAP & now need to add Samba!
  - From: David Wright <ichbin@shadlen.org>

Prev by Date: RE: DLLs
Next by Date: Re: Unix auth via LDAP & now need to add Samba!
Index(es):
- Chronological
- Thread