[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Win9x<->SMB<->LDAP

On Mon, 24 Apr 2000, Jeff Mandel wrote:

> Thanks, Steve, for the response. Samba authenticates against ldap by
> calling getpw routine. Thanks to the nsswitch and nss_ldap and pam_ldap
> it can look up the account and authenticate.

> The problem comes when encrypted passwords is turned on on the Win95
> client. It then sends a hash that the pam_ldap doesn't decode, and has
> nothing to compare against in LDAP.

> Help me here because this is where things turn vague. It looks like your
> module calls getsmbpwent. Is that smbpwent specific to the smbpassd
> file, or will it roll out to nsswitch if there is no entry in the
> smbdpasswd file?

getsmbpwent() works with several different kinds of databases, including
smbpasswd files and LDAP databases; however, this is unrelated to nsswitch,
which does not understand smbpasswd entries.  All of the code for getting
these smbpasswd entries, whether from a flatfile, an LDAP database, an SQL
database, etc., is code that's internal to Samba.

AFAIK, the Samba code currently only supports one type of back-end at a time,
and changing the type of database you use means recompiling Samba.  So there's
no config file you can modify to switch the type of back-end used.  This may
change in the future.  If you need this feature, I suggest registering your
opinion with the Samba technical list.

> With regards to pam and LDAP:
> Is the LDAP support idea to store a password that would have been in the
> smbpasswd file as attribute to an LDAP entry? I didn't see any
> documentation on which attributes to setup or if any additional object
> classes were needed.

I think this can be done by adding additional attributes to an existing LDAP
entry, yes.  Again, I've never used Samba with LDAP.  I suggest asking on the
Samba mailing lists for help with this.

> I think what I need is a module to decode the hash and send that to the
> LDAP server ala pam_ldap so the ldap passwords stored as plain, crypt,
> or sha could work. Has anyone set something like this up, or are folks
> working around it with password syncing programs?

If it can be decoded, it's not a hash.  You will need to store at least two
different hashes in the LDAP entry: one for unix programs that use crypt(),
and one for programs that use the SMB hash.

Of course, you could always store a single unencrypted password attribute, but
that's not particularly advisable (and probably not supported by the current
Samba code).

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []