thanks very much for the replies. this helps! and for the Heimdal Kerberos stuff: I'm very much trying to stick to the KISS principle, so that might be something for later. :)
Thanks, mourik jan > -----Original Message----- > From: G�mes G�za [mailto:[EMAIL PROTECTED] > Sent: 06 February 2005 21:47 > To: [EMAIL PROTECTED] > Cc: mourik jan c heupink; [email protected] > Subject: Re: [Samba] password ldap clarification requested... > > > Adam Tauno Williams �rta: > > >>I would like to know if the following statements are true, just to > >>make > >>sure that my understanding of passwords/ldap stuff is correct... > >>Vampireing passwords from an nt4 pdc only populates the > ldap server with > >>windows passwords, and not the (linux) userPassword. > >> > >> > > > >Yes. > > > > > > > >>Authenticating > >>linux logons against this ldap server is therefore only > possible using > >>winbind. > >> > >> > > > >Not entirely true. > > > > > > > >>'Normal' ldap enabled software can NOT authenticate against > this ldap, > >>because they expect a userPassword, and by simply vampireing this > >>password is left blank. > >> > >> > > > >Yes, but recent OpenLDAP servers support authenticating > binds against a > >LANMAN hash. > > > > > > > And what could be more inetresting, you could have a Heimdal Kerberos > authenticating against the NT hash, see > https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap > for the details > > >>The "ldap passwd sync = yes" smb.conf option makes sure that when > >>updating the 'windows' password (via idealx scripts, for > example) the > >>(linux) userPassword get's updated as well. > >> > >> > > > >Yep, via password-modify extended operation. > > > > > > > >>So: suppose I migrate our domain to samba, and on the first > samba day, > >>I > >>set all accounts to 'required to change password upon first > login' I > >>would end up having new passwords for everybody, both for > windows and > >>linux. > >> > >> > > > >Yes. > > > > > > > >>And all normal ldap enabled software would then be able to use > >>that ldap directory to authenticate to. > >> > >> > > > >Yes. > > > > > > > >>Are these assumptions correct? Thanks very much for feedback. > >> > >> > > > >More or less. > > > > > Cheers Geza > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
