Unix and Windows/Samba servers both store passwords in a one-way
encrypted format. So when you authenticate to a server, you type in
your password, the server encrypts it and compares it to the encrypted
version it has it is password database. This is is important
since your encrypted password data may (legitimately or not) be
accessible to other people. This is a separate from any network level
encryption that may be used. (For example, if you telnet into a server
your password is stored in an encrypted format but the password is still
transmitted in the clear.)
Unix and Windows use different password encryption methods which means
that they have to have different encrypted passwords stored, which
means the users have to have different passwords. (Unix uses things
like CRYPT or MD5.) You can have unix use the windows password via
Winbindd. However to have Windows/Samba use the unix password (which
is what you want) you would have to configure samba to disable the
password encryption (which is what you don't want.) I am not sure the
exact syntax and I am pretty sure if is strongly discouraged.
As far as I know, you can not use Windows password encryption routines
for the unix passwords directly.
On 03/29/2010 07:16 PM, Robert Heller wrote:
At Mon, 29 Mar 2010 17:38:39 -0400 [email protected] wrote:
According to how you have described your environment, whether or not you
use LDAP for Samba's backend, your users will still need corresponding
unix accounts AND will still have separate unix and windows
passwords. If you use ldap there will be separate fields for the
different passwords. If you configure password sync it should appear
to the users that they have a single password. (i.e. they change the
password in Windows or with smbpassword the unix password should also
change.)
If you really want a single password I think your options are as follows-
Configure unix logons to use windbind authentication (ie.
authenticate using the samba/windows password.)
Use kerberos for unix and samba.
But that may not resolve your concerns with Samba writing to LDAP.
So if you only have one samba machine and only a few users you may
still want to stick to the TDB backend for the windows account info.
Samba will still match the unix name to the windows name either way.
OK, it looks like that is what I am stuck with. I only *really* need
one or two users -- it is only for dealing with backups and posting some
files. This seems to work I will just have to live with the potiental
issues of possible differing passwords if/when that happens -- it is
only two usernames at present.
Question: why can't samba just use UNIX's user authentication? Is this
something in the way MS-Windows encrypts the password it sends over the
NetBIOS protocol? Or is there some other issue going on?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
