J Xu
2008-Dec-15 14:30 UTC
[Samba] pGINA and samba - authentication against LDAP userPassword field?
Hi, Back to a while ago, someone mentioned about taking pGINA code to samba, so samba can work against LDAP authentication, but instead of using the sambaNTPassword and sambaLMPassword, this way samba can use the userPassword field directly. This sounds very promissing because we can then just use one set of passwords. It may be not usable in a domain enviroment where machine accounts and other complex stuff are difficult to hand. But it is perfectly okey for a single linux machine in a workgroup mode. It can even provides user authentication to other Windows box with pGINA installed and configured. Here is the original thread discussed about this: http://lists.samba.org/archive/samba/2005-March/101660.html I am wondering where the samba team currently stand for this issue? Or is there anyone else interterested in this? Thanks, JX
Rubin Bennett
2008-Dec-15 14:42 UTC
[Samba] pGINA and samba - authentication against LDAP userPassword field?
On Mon, 2008-12-15 at 14:23 +0000, J Xu wrote:> Hi, > > Back to a while ago, someone mentioned about taking pGINA code to samba, so samba can work against LDAP authentication, but instead of using the sambaNTPassword and sambaLMPassword, this way samba can use the userPassword field directly. > > This sounds very promissing because we can then just use one set of passwords. It may be not usable in a domain enviroment where machine accounts and other complex stuff are difficult to hand. But it is perfectly okey for a single linux machine in a workgroup mode. It can even provides user authentication to other Windows box with pGINA installed and configured. > > Here is the original thread discussed about this: > http://lists.samba.org/archive/samba/2005-March/101660.html > > > I am wondering where the samba team currently stand for this issue? Or is there anyone else interterested in this? >There's a project that does something like this called smbk5pwd. Background: We've deployed LDAP as the authentication backend for a mixed environment: Samba DC, Windows XP workstations and LTSP server. The logon credentials are the same across environments (i.e. 'userx' can log in to both Windows workstations and LTSP clients). We wanted our users to be able to update their passwords from either environment; the Samba password change (i.e. on a Windows workstation) works fine - the ldap server updates both the md5 hash and the NTLM hash in the LDAP directory for that user. We wanted similar functionality in the LTSP environment. We found and tried for a time to deploy smbk5pwd but have so far been unsuccessful. That project seems like the most reasonable way to get where you are wanting to get however... dimming the security, or adding functionality that will certainly and spectacularly break other components of Samba seems like a bad idea. I would recommend contacting the smbk5pwd folks and see what they have to say. Hope that helps, Rubin> Thanks, > JX > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba-- Rubin Bennett rbTechnologies, LLC 80 Carleton Boulevard East Montpelier, VT 05651 (802)223-4448 http://thatitguy.com "Think for yourselves and let others enjoy the privilege to do so too." Voltaire, Essay on Tolerance French author, humanist, rationalist, & satirist (1694 - 1778)
Jeremy Allison
2008-Dec-16 23:06 UTC
[Samba] pGINA and samba - authentication against LDAP userPassword field?
On Mon, Dec 15, 2008 at 02:23:05PM +0000, J Xu wrote:> Hi, > > Back to a while ago, someone mentioned about taking pGINA code to samba, so samba can work against LDAP authentication, but instead of using the sambaNTPassword and sambaLMPassword, this way samba can use the userPassword field directly. > > This sounds very promissing because we can then just use one set of passwords. It may be not usable in a domain enviroment where machine accounts and other complex stuff are difficult to hand. But it is perfectly okey for a single linux machine in a workgroup mode. It can even provides user authentication to other Windows box with pGINA installed and configured. > > Here is the original thread discussed about this: > http://lists.samba.org/archive/samba/2005-March/101660.html > > > I am wondering where the samba team currently stand for this issue? Or is there anyone else interterested in this?We're always interested in clean, non obtrusive patches that increase functionality. Having said that I don't think we'd write the patches for pGINA ourselves. I'm happy to look at any patches that get sent in though. Jeremy.