[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: samba, ldap and syncing authentication

On Fri, 2009-02-06 at 16:38 -0600, Michael Cronenworth wrote:
> I have a Samba server acting as a PDC with Fedora Directory Server 
> running as the LDAP server, which holds all the users and passwords of 
> the domain. Everything is properly configured and running great. 
> Changing passwords from within a Windows machine changes both NT and 
> UNIX passwords.
> However, I can't seem to find out how to sync NT and UNIX passwords from 
> a Linux client. I can set my Linux client to use LDAP auth, but it only 
> changes the UNIX password. I occasionally login to a Windows VM and 
> would like to use /one/ set of username and password credentials. I 
> /cannot/ have two passwords (please, don't ask why). Right now I'm 
> having to manually sync NT and UNIX passwords since my Linux client is 
> my main machine.
> Yes, I know about smbldap-tools and that's what I have the PDC using, 
> but I'm looking for a solution that uses the system "passwd" command to 
> change passwords. If there is no other way, fine, just tell me and I'll 
> use smbldap-tools on my Linux client.
> P.S. The Samba programmer who thought it would be awesome to have 
> separate password keeping should be shot.
why is it necessary for you to conclude with a statement that
demonstrates your ignorance as if it somehow insults someone other than

Samba schema is based on methodologies that Microsoft employs which are
not compatible with Posix attributes. Therefore, you get sambaNTPassword
and sambaLMPassword attributes that are Microsoft compatible hashed
passwords but the userPassword (Posix) could be a variety of different
encryption schemes depending upon your implementation but none of them
being compatible with the simple hash Microsoft uses.

Yes, samba has an option to sync unix passwords so that a Windows client
can change a password and it will change all 3 above attributes when
configured properly and no, I don't know of a configuration switch that
will do it the opposite way, where you change userPassword and it
simultaneously changes the other samba attributes.

I use horde/imp/etc. and there is a module called password that allows
users to change their passwords. There probably are other programs that
can do much the same. You can probably roll your own program to do that
as well.

In the end though...samba performs all of its functions as intended and
the problem isn't samba at all, it's the passwd command itself because
it is entirely oblivious to the concept that another password
methodology exists...perhaps you should be shooting a Unix/Linux
programmer or two...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]