> Let me ask two theoretical questions, before I submit my comments > below. Windows XP/2000/et. al. send their passwords via SMB hashed. > So, without configuring those workstations to send the passwords > plaintext over the wire, is there any way for ppolicy to act on the > ldapmodify initiated by Samba from Windows clients attempting to change > their passwords?
You do *NOT* need to configure the clients to use cleartext password - which BTW would break domain functionality anyway. Samba has a cleartext equivalent of the password when you do a password change, else how would password chat scripts work? > Furthermore, if the above change is made so that ppolicy can evaluate > the plaintext password, what exactly will the interaction between LDAP > and the clients be if it fails to clear ppolicy constraints?
