On Tue, 10 Jun 2003, Martin Sapsed wrote:Testing a bit further seems to suggest that
encrypt passwords = no
doesn't work at all if you're using
passdb backend = ldapsam:ldap://..., guest
in 3.0alpha24. Is this a bug or a feature? ;-)
It's a feature. You can not have domain membership with plain text passwords. The purpose of the LDAP based SAM is to enable full NT style account data (including MS encrypted passwords) to be stored in a suitable scalable backend.
I *know* that, but at the moment we're mostly still on 9x using Plain text passwords and NIS. We've got a few machines running XP and 2000 and using smb.conf.%m files I've got them set to use encrypted passwords in an smbpasswd file containing the MS encrypted passwords for the relevant users.
We now want to start planning on migrating to perhaps XP and gathering the MS passwords for all 13,000 users. I thought it would be healthier to do with with the information on an LDAP server rather than having 13,000 lines in an smbpasswd file!
If you really must use plain text passwords you can use an LDAP backend for your Unix system accounts but your "passdb backend" entry should have "guest", but accessing of the LDAP backend will need to be done at the OS level. ie: Do NOT put ldapsam in the passdb backend line in your smb.conf.
PS: It is a very bad idea to use plain text passwords - it is insecure and no longer supported well by Microsoft.
I know that too.
Use of plain text passwords will lead to operational problems and user complaints.
but those problems are small compared to switching one day to an LDAP/encrypted password service with very few usable passwords in it. I think it's safe to say that that would result in "operational problems" and one helluva lot of user complaints!
I believe that using "update encrypted = yes" to populate the NT/LM passwords in our new LDAP database would be the best solution to our particular problem, unless you can suggest a better one John, or anyone else?
Cheers,
Martin
P.S. why is the word encrypted so hard to type correctly?? ;-)
-- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
