samba - Jan 2006 - userPassword in a LDAP database of a Samba3 domain

Hi folks,

I have been able to migrate a WinNT4 domain to a Samba3 PDC domain using
openldap as a backend and smbldap-tools to vampire the WinNT4 domain (pretty
much following Samba3 by Example and documentation in smbldap project by
IDEALX).

Nevertheless, all 600 users migraged from the WinNT4 domain have attributes like
these on the ldap database:

     userPassword: {crypt}x
     sambaLMPassword: blablabla
     sambaNTPassword: blablabla

Every user that have had their password changed since the migration (using Win9x
control panel or WinXP tools or smbldap-passwd) have attributes like these on
the ldap database:

     userPassword: {MD5}foobar=     sambaLMPassword: blablabla
     sambaNTPassword: blablabla

Now I am trying to use the same ldap server to support authentication to
unix/linux services. 
Users that have userPassword attribute in the MD5 form can be authentication by
unix/linux services. The other users cannot.

My question is: Is there a way to populate userPassword attribute in the MD5
format so that users are not required to have their password changed? I believe
a good opportunity to do so occurs whenever a user logs to the domain.

Thanks a lot. Best regards,

Fabricio







________ Information from NOD32 ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
http://www.nod32.com

fabricio bianco abreu wrote:
> 
> Now I am trying to use the same ldap server to support authentication to
> unix/linux services. 
> Users that have userPassword attribute in the MD5 form can be
authentication by
> unix/linux services. The other users cannot.
> 
> My question is: Is there a way to populate userPassword attribute in the
MD5
> format so that users are not required to have their password changed? I
believe
> a good opportunity to do so occurs whenever a user logs to the domain.
Well, you can't convert a crypt hash to an MD5 hash, so probalby not. 
Where did the value of that attribute come from, to begin with?

well, we had the same problem or situation.
there?re several threads about this topic on the list.

i?d suggest using winbindd for authentication of unix services against a DC

greez

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137

On Wed, 2006-01-25 at 14:09 -0200, fabricio bianco abreu
wrote:
> Hi folks,
> My question is: Is there a way to populate userPassword attribute in the
MD5
> format so that users are not required to have their password changed? I
believe
> a good opportunity to do so occurs whenever a user logs to the domain.
Unfortunately this is not possible.  I went to some very long lengths to
'get around' this problem, but for you, the best option is probably to
force a password change, or make your users enter your password into
something that gets the plaintext and validates it against the NTLM
(then you can populate the md5 userPassword).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20060131/474b7bb8/attachment.bin