[Date Prev][Date Next]
Re: Samba, email, LDAP and password integration and management
We have a system setup where our email, ftp, Windows, and Linux logins
are all done through OpenLDAP and Samba. The Linux clients authenticate
directly to LDAP, while the Windows clients go through the Samba domain
controller that talks LDAP to OpenLDAP for the passwords (stored as
decribed below in hashes). It's been working for over a year now like a
Christian Jung wrote:
You won't be able to use the same password-attributes for Windows and
other systems. Samba stores its data in two attributes (lmPassword and
ntPassword or similar). These are hashes of the user-password which
aren't compatible with - let's say - crypt or MD5 which are used by a
lot of Unix-flavors.
The only way is to store these passwords in different attributes and
synchronize them. Samba supports calling a script on password change
(see man smb.conf, search for "passwd program" and "passwd chat").
Linux can synchronize the windows-passwords via PAM. The
password-change script which would be called by Samba could check the
quality of the password.
This ain't nice but with a bit luck it should work...
BTW: The Windows-hashes are not very secure and should be protected by
Brian Johnson wrote:
I set up a test server about a year ago to try this and gave up since
it didn't seem
that the processes were quite yet in place to do it ..
I am evaluating the potential for Samba and Linux accounts (including
accounts) to share the same passwords (between software) and have a
process in place
to encourage users to change their passwords and try to prevent esay
to crack passwords
Could someone please confirm whether they have such a system working
difficult it was to set up?
When I looked at it before, it seemed that although Samba could use
LDAP, it used a
different schema from the standard system accounts and therefore
there was not
really any sharing of password data
If it matters, my server I'd like to do this on is a Redhat 7.3 system