> I would like to know if the following statements are true, just to make > sure that my understanding of passwords/ldap stuff is correct... > Vampireing passwords from an nt4 pdc only populates the ldap server with > windows passwords, and not the (linux) userPassword.
Yes. > Authenticating > linux logons against this ldap server is therefore only possible using > winbind. Not entirely true. > 'Normal' ldap enabled software can NOT authenticate against this ldap, > because they expect a userPassword, and by simply vampireing this > password is left blank. Yes, but recent OpenLDAP servers support authenticating binds against a LANMAN hash. > The "ldap passwd sync = yes" smb.conf option makes sure that when > updating the 'windows' password (via idealx scripts, for example) the > (linux) userPassword get's updated as well. Yep, via password-modify extended operation. > So: suppose I migrate our domain to samba, and on the first samba day, I > set all accounts to 'required to change password upon first login' I > would end up having new passwords for everybody, both for windows and > linux. Yes. > And all normal ldap enabled software would then be able to use > that ldap directory to authenticate to. Yes. > Are these assumptions correct? Thanks very much for feedback. More or less.
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba