[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

> Let me ask two theoretical questions, before I submit my comments
> below.  Windows XP/2000/et. al. send their passwords via SMB hashed. 
> So, without configuring those workstations to send the passwords
> plaintext over the wire, is there any way for ppolicy to act on the
> ldapmodify initiated by Samba from Windows clients attempting to change
> their passwords? 

You do *NOT* need to configure the clients to use cleartext password -
which BTW would break domain functionality anyway.

Samba has a cleartext equivalent of the password when you do a password
change,  else how would password chat scripts work?

> Furthermore, if the above change is made so that ppolicy can evaluate
> the plaintext password, what exactly will the interaction between LDAP
> and the clients be if it fails to clear ppolicy constraints?