On 07/18/11 14:40, Ian Collins wrote:
Similarly, you're saying
"workgroup mode" (no Active Directory) in the same context as "LDAP ...
widely used to authenticate Windows users" (implies Active Directory).
No, LDAP != Active Directory, at least for NT4 domains.
Yes, but do NT4 domains use LDAP for authentication? I can only barely
spell NT4, but I was under the impression that the addition of LDAP was one
of the significant differences between NT4 domains and AD.
The assumption was that if you're using
enterprise-class name service in the UNIX world, you'd also be using
enterprise-class name service in the Windows world (that is, Active
That assumption is flawed (at least in our case),
Sure. Like I said, it's arguably a bug in the design. It's just not a bug
in the sense that it's working the way that the designers intended.
There are two relevant CRs, and one that's related, that you could maybe
track or could reference if you open a support case. (Sorry, I don't know
whether CRs are publicly visible these days, or how you would look at them.)
7047401 Make NIS/LDAP and workgroups play nice together
This is "on a system in workgroup mode, you should be able
to log in to a NIS- or LDAP- based UNIX account".
It would presumably involve a "set NT password" user interface.
6803321 Support for LDAP directory based passwords in workgroup mode
Apparently some tools can store NT hashes in LDAP. This
requests support for that. This makes me very nervous,
because unlike UNIX password hashes, NT hashes have to be
kept secret. If you have the NT hash value, you can log
in as the user; you don't need the actual password.
This means that such a directory scheme must either have
very carefully managed security (so that only authorized
processes can retrieve the NT hash) or could be used only
in an environment that does not require actual security.
6931475 NIS/LDAP user and groups should be resolvable via SMB
This is only related. Right now we have a restriction that
names that are from NIS/LDAP aren't resolvable when you look
at file metadata.
I guess what's really missing is support for NT4 domains.
Yes... support for NT4 domains has been on the wish list for a long time,
but never quite high enough priority to make it happen. Given that AD came
in with Windows 2000, over ten years ago, I have to suspect that the
priority for NT4 domains won't be rising. (That's not any kind of official
statement... just an observation that if they weren't considered critical
last year, it seems pretty unlikely that they'll be considered critical
next year. It's not like NT4 market share is increasing.)
cifs-discuss mailing list