[Fedora-directory-users] NT Password Hash Storage
Richard Megginson
rmeggins at redhat.com
Thu Jan 19 20:37:56 UTC 2006
Roger Spencer wrote:
> I don't think I have the skill set to write something, but I'm willing
> to poke around with the OpenLDAP samba module and look at the pyldap
> plugin (where is it at?).
Don't worry about it then. We'll have to get a C coder to take a look
at it.
>
> Richard Megginson wrote:
>
>> Yes. We need a plug-in that will take updates to userPassword and
>> update sambaNTPassword (and vice versa) and possibly other related
>> things like the sambaLMPassword.
>>
>> Any volunteers? Mark McLoughlin posted some pyldap code that does
>> this, and I believe OpenLDAP has a samba module/overlay that does this.
>>
>> Roger Spencer wrote:
>>
>>>
>>> Craig White wrote:
>>>
>>>>> <..snip..>
>>>>>
>>>>
>>>> ----
>>>> I am unclear how you are doing authentication by Windows users to the
>>>> network in a normal login...via AD?
>>>>
>>>> anyway, my inclination is to setup Fedora-DS to use samba schema
>>>>
>>>> http://directory.fedora.redhat.com/wiki/Howto:Samba
>>>>
>>>> as that would give you a sambaNTPassword attribute which is
>>>> normally the
>>>> hashed password as expected but how that relates to question
>>>> #2...updating the hash when the user changes their password...I
>>>> suppose
>>>> that would depend upon the chain of events that occur where/when the
>>>> user changes their password...how is this information going to be sent
>>>> to fedora-ds?
>>>>
>>>> Craig
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>
>>> When I arrived on the scene, network authentication for windows
>>> clients consisted of setting a local user id and password on a PC
>>> and setting the same user id and password on a stand-alone samba
>>> server. Of course, users had different ids for email, vpn,
>>> shared-keys for wireless, etc. and passwords never changed (there
>>> was a partial NIS setup going, so all was not bleak).
>>>
>>> What I'm doing is consolidating it all into FDS with the benifit of
>>> a password policy. The samba schema worked great and also gets
>>> samba using FDS for authentication. But this leaves one question:
>>> what to do about having two sets of passwords in FDS?
>>>
>>> With samba running as an NT domain controller, and having PCs join
>>> the domain, samba should take care of keeping the sambantpassord
>>> correct when a Windows user changes their password. But what of the
>>> userpassord attribute? What happens when that same user does an ssh
>>> session into a Linux server, which if I understand correctly, will
>>> use the userpassword attribute for authentication?
>>>
>>> Is there a way to keep the two password attributes in sync? I'm not
>>> sure if it's possible to have all devices needing to do
>>> authentication to use the NT style.
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>------------------------------------------------------------------------
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060119/b95bb927/attachment.bin>
More information about the Fedora-directory-users
mailing list