After setting up Samba to work with an FDS LDAP server: http://directory.fedoraproject.org/wiki/Howto:Samba
... I see that the samba password hashes are shown with a simple ldapsearch command. If you scroll to the bottom of the page linked above and see the search results for: ldapsearch -x -Z '(uid=testuser)' You will see the hashes: sambaLMPassword: CFA95C51F11AB11DC2265B23734E0DAC sambaNTPassword: B2D88A4A9B0DAEE170E75F67D54918F6 This seems to be confidential information that you would not want showing in a anonymous LDAP search. ... For the same reason you would not want open permissions on your shadow password file. I see that the userPassword hash is not shown in the example above. In my tests, I only see this Unix password hash if I run ldapsearch as "cn=Directory Manager". Is there are way to also hide the Samba password hashes without breaking Samba functionality? Say, by using some LDAP rights-management tool to limit access to these attributes to certain accounts. Or does Samba require these hashes to be generally readable? -- Amin Al-Regan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
