Adam Tauno Williams írta:
And what could be more inetresting, you could have a Heimdal Kerberos authenticating against the NT hash, seeI would like to know if the following statements are true, just to make sure that my understanding of passwords/ldap stuff is correct...
Vampireing passwords from an nt4 pdc only populates the ldap server with windows passwords, and not the (linux) userPassword.
Yes.
Authenticating linux logons against this ldap server is therefore only possible using winbind.
Not entirely true.
'Normal' ldap enabled software can NOT authenticate against this ldap, because they expect a userPassword, and by simply vampireing this password is left blank.
Yes, but recent OpenLDAP servers support authenticating binds against a LANMAN hash.
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
for the details
The "ldap passwd sync = yes" smb.conf option makes sure that when updating the 'windows' password (via idealx scripts, for example) the (linux) userPassword get's updated as well.
Yep, via password-modify extended operation.
So: suppose I migrate our domain to samba, and on the first samba day, I set all accounts to 'required to change password upon first login' I would end up having new passwords for everybody, both for windows and linux.
Yes.
And all normal ldap enabled software would then be able to use that ldap directory to authenticate to.
Yes.
Are these assumptions correct? Thanks very much for feedback.
More or less.
Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
