samba, ldap and syncing authentication

Mikkel L. Ellertson mikkel at infinity-ltd.com
Sat Feb 7 00:16:15 UTC 2009 

Michael Cronenworth wrote:
> I have a Samba server acting as a PDC with Fedora Directory Server
> running as the LDAP server, which holds all the users and passwords of
> the domain. Everything is properly configured and running great.
> Changing passwords from within a Windows machine changes both NT and
> UNIX passwords.
> 
> However, I can't seem to find out how to sync NT and UNIX passwords from
> a Linux client. I can set my Linux client to use LDAP auth, but it only
> changes the UNIX password. I occasionally login to a Windows VM and
> would like to use /one/ set of username and password credentials. I
> /cannot/ have two passwords (please, don't ask why). Right now I'm
> having to manually sync NT and UNIX passwords since my Linux client is
> my main machine.
> 
You are not going to find a way to easily sync the two password
lists for existing passwords. You would have to crack the passwords
in one list, and use that to change the passwords in the other list.
(It is probably easier to crack the NT passwords...)

> Yes, I know about smbldap-tools and that's what I have the PDC using,
> but I'm looking for a solution that uses the system "passwd" command to
> change passwords. If there is no other way, fine, just tell me and I'll
> use smbldap-tools on my Linux client.
> 
Take a look at using PAM for this. You will have to do some
searching, but there is a module you can add to /etc/pam.d/passwd so
that it will change the Samba password at the same time.
> 
> P.S. The Samba programmer who thought it would be awesome to have
> separate password keeping should be shot.
> 
It was not a Samba programmer. The only way to use the same password
database would be to use clear text passwords with Samba. The
problem is that Windows and Linux use two different password hashes,
so it does no good to compare the encrypted password that Windows
sends to the encrypted password in /etc/shadow. Both are "one way"
hashes, so you can not easily get the password from the hash of the
password.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090206/68bf56df/attachment-0001.sig>

More information about the fedora-list mailing list