On 07/19/11 10:41 AM, Jordan Brown wrote:
6803321 Support for LDAP directory based passwords in workgroup mode
Apparently some tools can store NT hashes in LDAP. This
requests support for that. This makes me very nervous,
because unlike UNIX password hashes, NT hashes have to be
kept secret. If you have the NT hash value, you can log
in as the user; you don't need the actual password.
This means that such a directory scheme must either have
very carefully managed security (so that only authorized
processes can retrieve the NT hash) or could be used only
in an environment that does not require actual security.
I have been looking into this a bit more and Samba does store hashes in
ldap (in the sambaLMPassword and sambaNTPassword attributes.). So there
is a widely used precedent.
I have been using sambaNTPassword attributes to create
/var/smb/smbpasswd for non-local users. From my testing so far, pGina
as the authentication client and as workgroup mode server with local
/var/smb/smbpasswd allows authentication and automatic drive mappings in
the same way as windows native login.
--
Ian.
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
