On 07/18/11 14:40, Ian Collins wrote:
Similarly, you're saying
"workgroup mode" (no Active Directory) in the same context as "LDAP ...
widely used to authenticate Windows users" (implies Active Directory).

No, LDAP != Active Directory, at least for NT4 domains.

Yes, but do NT4 domains use LDAP for authentication? I can only barely spell NT4, but I was under the impression that the addition of LDAP was one of the significant differences between NT4 domains and AD.

The assumption was that if you're using
enterprise-class name service in the UNIX world, you'd also be using
enterprise-class name service in the Windows world (that is, Active

That assumption is flawed (at least in our case),

Sure. Like I said, it's arguably a bug in the design. It's just not a bug in the sense that it's working the way that the designers intended.

There are two relevant CRs, and one that's related, that you could maybe track or could reference if you open a support case. (Sorry, I don't know whether CRs are publicly visible these days, or how you would look at them.)

7047401 Make NIS/LDAP and workgroups play nice together

        This is "on a system in workgroup mode, you should be able
        to log in to a NIS- or LDAP- based UNIX account".
        It would presumably involve a "set NT password" user interface.

6803321 Support for LDAP directory based passwords in workgroup mode

        Apparently some tools can store NT hashes in LDAP.  This
        requests support for that.  This makes me very nervous,
        because unlike UNIX password hashes, NT hashes have to be
        kept secret.  If you have the NT hash value, you can log
        in as the user; you don't need the actual password.
        This means that such a directory scheme must either have
        very carefully managed security (so that only authorized
        processes can retrieve the NT hash) or could be used only
        in an environment that does not require actual security.

6931475 NIS/LDAP user and groups should be resolvable via SMB

        This is only related.  Right now we have a restriction that
        names that are from NIS/LDAP aren't resolvable when you look
        at file metadata.

I guess what's really missing is support for NT4 domains.

Yes... support for NT4 domains has been on the wish list for a long time, but never quite high enough priority to make it happen. Given that AD came in with Windows 2000, over ten years ago, I have to suspect that the priority for NT4 domains won't be rising. (That's not any kind of official statement... just an observation that if they weren't considered critical last year, it seems pretty unlikely that they'll be considered critical next year. It's not like NT4 market share is increasing.)
cifs-discuss mailing list

Reply via email to