mourik jan c heupink
2005-Feb-06 19:32 UTC
[Samba] password ldap clarification requested...
Dear list, I would like to know if the following statements are true, just to make sure that my understanding of passwords/ldap stuff is correct... Vampireing passwords from an nt4 pdc only populates the ldap server with windows passwords, and not the (linux) userPassword. Authenticating linux logons against this ldap server is therefore only possible using winbind. 'Normal' ldap enabled software can NOT authenticate against this ldap, because they expect a userPassword, and by simply vampireing this password is left blank. The "ldap passwd sync = yes" smb.conf option makes sure that when updating the 'windows' password (via idealx scripts, for example) the (linux) userPassword get's updated as well. So: suppose I migrate our domain to samba, and on the first samba day, I set all accounts to 'required to change password upon first login' I would end up having new passwords for everybody, both for windows and linux. And all normal ldap enabled software would then be able to use that ldap directory to authenticate to. Are these assumptions correct? Thanks very much for feedback. Yours, Mourik Jan
Adam Tauno Williams
2005-Feb-06 20:12 UTC
[Samba] password ldap clarification requested...
> I would like to know if the following statements are true, just to make > sure that my understanding of passwords/ldap stuff is correct... > Vampireing passwords from an nt4 pdc only populates the ldap server with > windows passwords, and not the (linux) userPassword.Yes.> Authenticating > linux logons against this ldap server is therefore only possible using > winbind.Not entirely true.> 'Normal' ldap enabled software can NOT authenticate against this ldap, > because they expect a userPassword, and by simply vampireing this > password is left blank.Yes, but recent OpenLDAP servers support authenticating binds against a LANMAN hash.> The "ldap passwd sync = yes" smb.conf option makes sure that when > updating the 'windows' password (via idealx scripts, for example) the > (linux) userPassword get's updated as well.Yep, via password-modify extended operation.> So: suppose I migrate our domain to samba, and on the first samba day, I > set all accounts to 'required to change password upon first login' I > would end up having new passwords for everybody, both for windows and > linux.Yes.> And all normal ldap enabled software would then be able to use > that ldap directory to authenticate to.Yes.> Are these assumptions correct? Thanks very much for feedback.More or less. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050206/c9221d2a/attachment.bin
Heupink, Mourik Jan C.
2005-Feb-07 11:44 UTC
[Samba] password ldap clarification requested...
thanks very much for the replies. this helps! and for the Heimdal Kerberos stuff: I'm very much trying to stick to the KISS principle, so that might be something for later. :) Thanks, mourik jan> -----Original Message----- > From: G?mes G?za [mailto:geza@kzsdabas.sulinet.hu] > Sent: 06 February 2005 21:47 > To: awilliam@whitemice.org > Cc: mourik jan c heupink; samba@lists.samba.org > Subject: Re: [Samba] password ldap clarification requested... > > > Adam Tauno Williams ?rta: > > >>I would like to know if the following statements are true, just to > >>make > >>sure that my understanding of passwords/ldap stuff is correct... > >>Vampireing passwords from an nt4 pdc only populates the > ldap server with > >>windows passwords, and not the (linux) userPassword. > >> > >> > > > >Yes. > > > > > > > >>Authenticating > >>linux logons against this ldap server is therefore only > possible using > >>winbind. > >> > >> > > > >Not entirely true. > > > > > > > >>'Normal' ldap enabled software can NOT authenticate against > this ldap, > >>because they expect a userPassword, and by simply vampireing this > >>password is left blank. > >> > >> > > > >Yes, but recent OpenLDAP servers support authenticating > binds against a > >LANMAN hash. > > > > > > > And what could be more inetresting, you could have a Heimdal Kerberos > authenticating against the NT hash, see > https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap > for the details > > >>The "ldap passwd sync = yes" smb.conf option makes sure that when > >>updating the 'windows' password (via idealx scripts, for > example) the > >>(linux) userPassword get's updated as well. > >> > >> > > > >Yep, via password-modify extended operation. > > > > > > > >>So: suppose I migrate our domain to samba, and on the first > samba day, > >>I > >>set all accounts to 'required to change password upon first > login' I > >>would end up having new passwords for everybody, both for > windows and > >>linux. > >> > >> > > > >Yes. > > > > > > > >>And all normal ldap enabled software would then be able to use > >>that ldap directory to authenticate to. > >> > >> > > > >Yes. > > > > > > > >>Are these assumptions correct? Thanks very much for feedback. > >> > >> > > > >More or less. > > > > > Cheers Geza >
Reasonably Related Threads
- Missing Heimdal, Kerberos, Samba and OpenLdap how-to
- Samba + (LDAP + Kerberos V)
- Sync password (with MIT-kerberos server) and migration
- Help with Samba (net vampire) not pulling passwords into openLDAP backend - fails pam_ldap authentication - pam_unix used instead ?
- Samba pwd in kerberos?