[Fedora-directory-users] NT Password Hash Storage
Craig White
craigwhite at azapple.com
Fri Jan 20 00:20:51 UTC 2006
That shouldn't be necessary for samba users.
smb.conf - global section
ldap passwd sync = yes
from man page for smb.conf
ldap passwd sync (G)
This option is used to define whether or not Samba should sync
the LDAP password with the NT and LM hashes for normal accounts
(NOT for workstation, server or domain trusts) on a password
change via SAMBA.
The ldap passwd sync can be set to one of three values:
Yes = Try to update the LDAP, NT and LM passwords and update the
pwdLastSet time.
No = Update NT and LM passwords and update the pwdLastSet time.
Only = Only update the LDAP password and let the LDAP server do the
rest.
Of course this only handles instances where the user changes his windows
password from Windows but that was the direction of the OP as I
understood him.
Craig
On Thu, 2006-01-19 at 12:50 -0700, Richard Megginson wrote:
> Yes. We need a plug-in that will take updates to userPassword and
> update sambaNTPassword (and vice versa) and possibly other related
> things like the sambaLMPassword.
>
> Any volunteers? Mark McLoughlin posted some pyldap code that does this,
> and I believe OpenLDAP has a samba module/overlay that does this.
>
> Roger Spencer wrote:
>
> >
> > Craig White wrote:
> >
> >>><..snip..>
> >>>
> >>>
> >>----
> >>I am unclear how you are doing authentication by Windows users to the
> >>network in a normal login...via AD?
> >>
> >>anyway, my inclination is to setup Fedora-DS to use samba schema
> >>
> >>http://directory.fedora.redhat.com/wiki/Howto:Samba
> >>
> >>as that would give you a sambaNTPassword attribute which is normally the
> >>hashed password as expected but how that relates to question
> >>#2...updating the hash when the user changes their password...I suppose
> >>that would depend upon the chain of events that occur where/when the
> >>user changes their password...how is this information going to be sent
> >>to fedora-ds?
> >>
> >>Craig
> >>
> >>--
> >>Fedora-directory-users mailing list
> >>Fedora-directory-users at redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>
> >>
> >
> > When I arrived on the scene, network authentication for windows
> > clients consisted of setting a local user id and password on a PC and
> > setting the same user id and password on a stand-alone samba server.
> > Of course, users had different ids for email, vpn, shared-keys for
> > wireless, etc. and passwords never changed (there was a partial NIS
> > setup going, so all was not bleak).
> >
> > What I'm doing is consolidating it all into FDS with the benifit of a
> > password policy. The samba schema worked great and also gets samba
> > using FDS for authentication. But this leaves one question: what to
> > do about having two sets of passwords in FDS?
> >
> > With samba running as an NT domain controller, and having PCs join the
> > domain, samba should take care of keeping the sambantpassord correct
> > when a Windows user changes their password. But what of the
> > userpassord attribute? What happens when that same user does an ssh
> > session into a Linux server, which if I understand correctly, will use
> > the userpassword attribute for authentication?
> >
> > Is there a way to keep the two password attributes in sync? I'm not
> > sure if it's possible to have all devices needing to do authentication
> > to use the NT style.
> >
> >------------------------------------------------------------------------
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the Fedora-directory-users
mailing list