Matt Richardson wrote:> Is it possible to take a SSHA password from an ldif and create a
> proper sambaNTpassword from it? Here's the scenario: the ldap
> servers in our organization do not have the samba schema installed and
> the likelihood of that happening is slim. I still want to provide
> clients with as close to a single sign on solution as possible and I
> can get an ldif of the accounts I need. However, the password field
> is SSHA and I will still need to generate sambaLMpassword and
> sambaNTpasswd fields (along with the rest, but that part is a wrapper
> script around smbldap-utils away.) There is a remote possibility of
> getting these hashes generated by an Identity Management Server, which
> would make the problem go away. The IDM solution is remote, as the
> admin for it is already overworked, so parsing an ldif seems to be the
> best solution at the moment.
>
> Any suggestions would be appreciated.
>
Are PAM modules a viable route and/or one that you'd consider? I have
no idea how it would work, but it seems to me that it's a good loosely
coupled interface from both sides of the problem. To be honest, I run
Slackware and PAM isn't included as Patric V. strong believes PAM is a
security risk, so I can't comment on how easy an implementation might be
as I've only toyed with it on a few occasions. I know, however, that
Samba uses PAM for syncing the passwd/shadow files, so there must be
some sort of interfacing capabilities native to Samba.