On 07/19/11 10:41 AM, Jordan Brown wrote:
6803321 Support for LDAP directory based passwords in workgroup mode

        Apparently some tools can store NT hashes in LDAP.  This
        requests support for that.  This makes me very nervous,
        because unlike UNIX password hashes, NT hashes have to be
        kept secret.  If you have the NT hash value, you can log
        in as the user; you don't need the actual password.
        This means that such a directory scheme must either have
        very carefully managed security (so that only authorized
        processes can retrieve the NT hash) or could be used only
        in an environment that does not require actual security.

I have been looking into this a bit more and Samba does store hashes in ldap (in the sambaLMPassword and sambaNTPassword attributes.). So there is a widely used precedent.

I have been using sambaNTPassword attributes to create /var/smb/smbpasswd for non-local users. From my testing so far, pGina as the authentication client and as workgroup mode server with local /var/smb/smbpasswd allows authentication and automatic drive mappings in the same way as windows native login.


cifs-discuss mailing list

Reply via email to