Hello all, I'm currently trying out samba-3.0alpha24 and moving to samba-3.0.0beta1 since we're getting into XP and encrypted passwords etc. I was hoping to set everyone (about 13,000 users) up on an LDAP (openLDAP) server with just the Unix crypt passwords for now and run with encrypt passwords = no update encrypted = yes for a while to populate the NT/LM password hashes before going over to encrypted passwords for everyone. (Most clients are Win 9x using plain text passwords against NIS at the moment.) From what I can see and have gathered from some searching, it looks like "update encrypted" only works with an smbpasswd file. Is this the case? If so, has anyone out there tried living with a 13,000 line smbpasswd file for any length of time?? Servers are Sun Solaris 9 and Linux Debian Stable if that matters. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth
On Tue, 2003-06-10 at 02:13, Martin Sapsed wrote:> Hello all, > > I'm currently trying out samba-3.0alpha24 and moving to samba-3.0.0beta1 > since we're getting into XP and encrypted passwords etc. I was hoping to > set everyone (about 13,000 users) up on an LDAP (openLDAP) server with > just the Unix crypt passwords for now and run with > > encrypt passwords = no > update encrypted = yes > > for a while to populate the NT/LM password hashes before going over to > encrypted passwords for everyone. (Most clients are Win 9x using plain > text passwords against NIS at the moment.) > > From what I can see and have gathered from some searching, it looks > like "update encrypted" only works with an smbpasswd file. Is this the > case?The code routines call the passdb backend, whatever that may be. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030609/c1f23eff/attachment.bin
Martin Sapsed wrote:> I'm currently trying out samba-3.0alpha24 and moving to samba-3.0.0beta1 > since we're getting into XP and encrypted passwords etc. I was hoping to > set everyone (about 13,000 users) up on an LDAP (openLDAP) server with > just the Unix crypt passwords for now and run with > > encrypt passwords = no > update encrypted = yes > > for a while to populate the NT/LM password hashes before going over to > encrypted passwords for everyone. (Most clients are Win 9x using plain > text passwords against NIS at the moment.) > > From what I can see and have gathered from some searching, it looks > like "update encrypted" only works with an smbpasswd file. Is this the > case? If so, has anyone out there tried living with a 13,000 line > smbpasswd file for any length of time??I'm answering my own question since nobody else got quite the right answer although Tom Crummey put me thinking along the right lines. If you have passdb backend = ldapsam:ldap://..., guest encrypt passwords = yes then the Microsoft encrypted passwords stored in LDAP are used and obviously this is the preferred solution for security and co-operation from windows 2000 and XP etc. If, however, you have passdb backend = ldapsam:ldap://..., guest encrypt passwords = no update encrypted = yes then the authentication check is against whatever authentication mechanism the underlying machine is using (in my case NIS but could be PAM etc) but the update encrypted flag causes the NT/LM passwords in LDAP to be updated. My mistake was to assume that if you used ldapsam: then authentication was against LDAP - the userid I was testing with had a different crypt password in LDAP to what was in NIS. Thanks to Tom for pointing me right. Apologies to John Terpstra if my last reply to him was a bit terse! Keep up the good work, team... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth