I'm try to create a single sign on configuration for a home fileserver, storing user accounts in the directory and using those credentials to authenticate Linux shell logins, server applications and PDC logins. I have NSS working correctly and am trying to extend my LDAP schema to accommodate Samba. For the benefit of my own understanding, I'm trying to make the necessary changes to my ldif file by hand. I will only ever have 3 users, so I'm not terribly concerned about scripts for automating account maintenance. It appears that the uid and SID are the only mandatory attributes, but I also see attributes for storing the passwd or pw hash. Is the passwd to be stored in the LDAP record twice - once as a posix pw and once as a domain pw? Can't Samba just use the existing pw attribute? If I attempt to auth, check_ntlm_password returns NT_STATUS_WRONG_PASSWORD. Could that also result from not being able to find the appropriate pw attribute?
On Thu, 2009-03-26 at 22:35 -0400, jeff sacksteder wrote:> I'm try to create a single sign on configuration for a home > fileserver, storing user accounts in the directory and using those > credentials to authenticate Linux shell logins, server applications > and PDC logins.Not single sign on (that is Kerberos), but unified (one) login.> It appears that the uid and SID are the only mandatory attributes, but > I also see attributes for storing the passwd or pw hash. Is the passwd > to be stored in the LDAP record twice - once as a posix pw and once as > a domain pw?No, three times. Your "UNIX" password crypt in userpassword and twice for cifs: once as an NT hash (MD5?) and one as a LANMAN hash. It works out fine - just change your passwords via Samba or use the standard change-password extended operation [LDAP] with the smbk5 module and they will all be updated simultaneously.> Can't Samba just use the existing pw attribute?No.> If I attempt to auth, check_ntlm_password returns > NT_STATUS_WRONG_PASSWORD. Could that also result from not being able > to find the appropriate pw attribute?Yep. -- OpenGroupware developer: awilliam@whitemice.org <http://whitemiceconsulting.blogspot.com/> OpenGroupare & Cyrus IMAPd documenation @ <http://docs.opengroupware.org/Members/whitemice/wmogag/file_view>
> out fine - just change your passwords via Samba or use the standard > change-password extended operation [LDAP] with the smbk5 module and they > will all be updated simultaneously.Could you elaborate on the smbk5 module and how it relates to ldappasswd?
Am 27.03.2009 07:04, Adam Tauno Williams schrieb:>> It appears that the uid and SID are the only mandatory attributes, but >> I also see attributes for storing the passwd or pw hash. Is the passwd >> to be stored in the LDAP record twice - once as a posix pw and once as >> a domain pw? >> > > No, three times. Your "UNIX" password crypt in userpassword and twice > for cifs: once as an NT hash (MD5?) and one as a LANMAN hash. It works > out fine - just change your passwords via Samba or use the standard > change-password extended operation [LDAP] with the smbk5 module and they > will all be updated simultaneously. > >Master-Question: What if you got MIXED Users? Say Users working on the Linux console (via SSH) and Users who work at Windows PCs (connected via Samba) and you want to maintain only ONE Account-Database and you want to make sure that the Users Passwords are consistent at ALL TIME. and OF COURSE you want to ensure that users use strong passwords (complexity check like pam_cracklib provides it), that users dont use passworts multiple times (PW history) and password aging. Of course the Users must be allowed to change their passwords whereever they are (windows side and console side). Also the Users are to be forced to change their password on their first login or if their admin has reseted their passwords. How to achive that ?? This isnt some "fantasy" Scenario. this should be a every day scenario for all networks. solved in novell netware/nds and microsoft windows Server. Also solved in Linux/Opensource ??? Will still Kerberos solve this Scenario ?