RE: [Samba] password ldap clarification requested...

This is a discussion on RE: [Samba] password ldap clarification requested... within the Samba forums, part of the Networking and Network Related category; thanks very much for the replies. this helps! and for the Heimdal Kerberos stuff: I'm very much trying to ...


Go Back   Usenet Forums > Networking and Network Related > Samba

Reload this Page RE: [Samba] password ldap clarification requested...

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-07-2005
Heupink, Mourik Jan C.
 
Posts: n/a
Default RE: [Samba] password ldap clarification requested...
thanks very much for the replies. this helps!

and for the Heimdal Kerberos stuff: I'm very much trying to stick to =
the
KISS principle, so that might be something for later. :)

Thanks,
mourik jan

> -----Original Message-----
> From: G=E9mes G=E9za [mailto:geza@kzsdabas.sulinet.hu]=20
> Sent: 06 February 2005 21:47
> To: awilliam@whitemice.org
> Cc: mourik jan c heupink; samba@lists.samba.org
> Subject: Re: [Samba] password ldap clarification requested...
>=20
>=20
> Adam Tauno Williams =EDrta:
>=20
> >>I would like to know if the following statements are true, just to=20
> >>make
> >>sure that my understanding of passwords/ldap stuff is correct...
> >>Vampireing passwords from an nt4 pdc only populates the=20
> ldap server with=20
> >>windows passwords, and not the (linux) userPassword.=20
> >> =20
> >>
> >
> >Yes.
> >
> > =20
> >
> >>Authenticating
> >>linux logons against this ldap server is therefore only=20
> possible using=20
> >>winbind.
> >> =20
> >>
> >
> >Not entirely true.
> >
> > =20
> >
> >>'Normal' ldap enabled software can NOT authenticate against=20
> this ldap,
> >>because they expect a userPassword, and by simply vampireing this=20
> >>password is left blank.
> >> =20
> >>
> >
> >Yes, but recent OpenLDAP servers support authenticating=20
> binds against a=20
> >LANMAN hash.
> >
> > =20
> >
> And what could be more inetresting, you could have a Heimdal Kerberos =

> authenticating against the NT hash, see=20
> =
https://sec.miljovern.no/bin/view/In...mbaAndOpenLdap
> for the details
>=20
> >>The "ldap passwd sync =3D yes" smb.conf option makes sure that when
> >>updating the 'windows' password (via idealx scripts, for=20
> example) the=20
> >>(linux) userPassword get's updated as well.
> >> =20
> >>
> >
> >Yep, via password-modify extended operation.
> >
> > =20
> >
> >>So: suppose I migrate our domain to samba, and on the first=20
> samba day,=20
> >>I
> >>set all accounts to 'required to change password upon first=20
> login' I=20
> >>would end up having new passwords for everybody, both for=20
> windows and=20
> >>linux.=20
> >> =20
> >>
> >
> >Yes.
> >
> > =20
> >
> >>And all normal ldap enabled software would then be able to use
> >>that ldap directory to authenticate to.
> >> =20
> >>
> >
> >Yes.
> >
> > =20
> >
> >>Are these assumptions correct? Thanks very much for feedback.
> >> =20
> >>
> >
> >More or less.
> > =20
> >
> Cheers Geza
>=20
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 07:56 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0