[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Win9x<->SMB<->LDAP

Thanks, Steve, for the response. Samba authenticates against ldap by
calling getpw routine. Thanks to the nsswitch and nss_ldap and pam_ldap
it can look up the account and authenticate.

The problem comes when encrypted passwords is turned on on the Win95
client. It then sends a hash that the pam_ldap doesn't decode, and has
nothing to compare against in LDAP.

Help me here because this is where things turn vague. It looks like your
module calls getsmbpwent. Is that smbpwent specific to the smbpassd
file, or will it roll out to nsswitch if there is no entry in the
smbdpasswd file?

With regards to pam and LDAP:
Is the LDAP support idea to store a password that would have been in the
smbpasswd file as attribute to an LDAP entry? I didn't see any
documentation on which attributes to setup or if any additional object
classes were needed.

I think what I need is a module to decode the hash and send that to the
LDAP server ala pam_ldap so the ldap passwords stored as plain, crypt,
or sha could work. Has anyone set something like this up, or are folks
working around it with password syncing programs?

TIA for comments and suggestions.


On Thu, 24 Feb 2000, Sarel J. Botha wrote:

 > On Wed, Feb 23, 2000 at 03:55:52PM -0800, Jeff Mandel wrote:
 > > A question about pam modules and smb auth for win9x. Is there a way
 > > handle win9x hashed passwords for authentication against an LDAP
 > > instead of the smb passwd file?

 > I just wondered about your question and quickly consulted
smb.conf(5). It
 > appears that samba has experimental support for authenticating
against an
 > LDAP server directly.

 > Not sure if this is just a replacement for the UNIX authentication
and if
 > it's for smbpasswd as well.

 The LDAP support in Samba is intended exclusively for
 storing smbpasswd-like entries (and sampasswd entries,
 which are not yet widely used).  No attempt is made to
 duplicate NSS functionality: if you want Samba to use LDAP
 for Unix lookups, use nss_ldap...

 pam_smbpass theoretically can check passwords against an
 LDAP server, the same way that Samba can.  But we don't use
 LDAP, and I haven't actually tested it.
 ftp://ftp.netexpress.net/pub/pam/ if anyone wants to give
 it a shot, tho. :)

 Steve Langasek
 postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []