[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Samba, email, LDAP and password integration and management

We have a system setup where our email, ftp, Windows, and Linux logins are all done through OpenLDAP and Samba. The Linux clients authenticate directly to LDAP, while the Windows clients go through the Samba domain controller that talks LDAP to OpenLDAP for the passwords (stored as decribed below in hashes). It's been working for over a year now like a charm.


Christian Jung wrote:

Hi Brian!

You won't be able to use the same password-attributes for Windows and other systems. Samba stores its data in two attributes (lmPassword and ntPassword or similar). These are hashes of the user-password which aren't compatible with - let's say - crypt or MD5 which are used by a lot of Unix-flavors.

The only way is to store these passwords in different attributes and synchronize them. Samba supports calling a script on password change (see man smb.conf, search for "passwd program" and "passwd chat"). Linux can synchronize the windows-passwords via PAM. The password-change script which would be called by Samba could check the quality of the password.

This ain't nice but with a bit luck it should work...

BTW: The Windows-hashes are not very secure and should be protected by good ACLs.


Brian Johnson wrote:

I set up a test server about a year ago to try this and gave up since it didn't seem
that the processes were quite yet in place to do it ..

I am evaluating the potential for Samba and Linux accounts (including postfix email
accounts) to share the same passwords (between software) and have a process in place
to encourage users to change their passwords and try to prevent esay to crack passwords

Could someone please confirm whether they have such a system working and how
difficult it was to set up?

When I looked at it before, it seemed that although Samba could use LDAP, it used a
different schema from the standard system accounts and therefore there was not
really any sharing of password data

If it matters, my server I'd like to do this on is a Redhat 7.3 system