> would make it easier if SAMBA could use say teh userpassword attribute
This comes up every month or so, and the answer is always no. Here's my
understanding of how it works, somebody correct me if I'm wrong (or
affirm if right for once ;) )
Windows encrypts the password on the client side and sends the password
hash over the wire encrypted. Once it gets to the server, the server
simply compars the hashes and gives the virtual thumbs up/down on it.
The crux of the problem is that neither password hash is reversable,
UNIX or Windows, which is why the hash is worth the bits it's stored
in... if they were reversable security would be a sham at best. You
should be able to follow through at this point that comparing two hashes
of different types is pointless since you can't derive the original
value, and the hashes are obviously going to be different.
So basically, unless you can configure windows to send the same hash as
your UNIX system uses or get your system to use the NT string, you're
pretty much borked. Of course this would also require samba to check
the sent hash against /etc/passwd|shadow, but that would probably be
trivial compared to reconfiguring windows or rewriting pam to read an NT
hash.
Make sense? It's late on friday and I'm burned out, so question away if
it doesn't.
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc.
Systems Architect Fax: 701-281-1322
URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com