Re: [Samba] exported LDAP DB file smbpasswd?
On Thu, 2012-05-24 at 16:25 -0400, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. If you have sambaNTPassword values and have Samba connected to it as it's passdb backend, you can extract it using pdbedit -w. Otherwise (unless you stored cleartext), it is cryptographically impossible. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
Hi, why not export with pdbedit and then import it again ?! no converting needed... (except for smb.conf that is.) cheers. On 25-5-2012 0:01, Gaiseric Vandal wrote: Just what is in the documentation on samba.org. Anything involving plain-text authentication seems to be discouraged. On 05/24/12 17:56, aurfalien wrote: On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- --- Collen Blijenberg - systeem/netwerk beheerder -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
Now thats brilliant, elegant and simple. Thanks Collen, looking forward to trying it. - aurf On May 25, 2012, at 2:31 AM, Collen wrote: Hi, why not export with pdbedit and then import it again ?! no converting needed... (except for smb.conf that is.) cheers. On 25-5-2012 0:01, Gaiseric Vandal wrote: Just what is in the documentation on samba.org. Anything involving plain-text authentication seems to be discouraged. On 05/24/12 17:56, aurfalien wrote: On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- --- Collen Blijenberg - systeem/netwerk beheerder -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
pbdedit will export the Windows password from the SambaNTPassword field (won't it?) My understanding was the pGina was using the unix password in the userPassword field?Or am I wrong? On 05/25/12 09:36, aurfalien wrote: Now thats brilliant, elegant and simple. Thanks Collen, looking forward to trying it. - aurf On May 25, 2012, at 2:31 AM, Collen wrote: Hi, why not export with pdbedit and then import it again ?! no converting needed... (except for smb.conf that is.) cheers. On 25-5-2012 0:01, Gaiseric Vandal wrote: Just what is in the documentation on samba.org. Anything involving plain-text authentication seems to be discouraged. On 05/24/12 17:56, aurfalien wrote: On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- --- Collen Blijenberg - systeem/netwerk beheerder -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
I am using pGina for authing, correct. But when I map drive shares, I'll need some kind of authing mechanism. My desire was this; Since I already auth the user during there pGina login to Windows, I did not want to auth again for drive mapping to a Samba server. But... since this SSO doesn't carry through to Samba as the Samba file server does not know who this person is requesting a drive map, they will need to input credentials. What I would really LOVE is this; Since authing has already been taking care of during log in, to be able to map a drive as that user w/o needing the input a password. This way whatever they touch on the server will maintain there UID/GID or UGO rather. This in effect will make Samba act as NFS in a way with regards to security (who are you and what are you allowed to do). - aurf On May 25, 2012, at 9:44 AM, Gaiseric Vandal wrote: pbdedit will export the Windows password from the SambaNTPassword field (won't it?) My understanding was the pGina was using the unix password in the userPassword field?Or am I wrong? On 05/25/12 09:36, aurfalien wrote: Now thats brilliant, elegant and simple. Thanks Collen, looking forward to trying it. - aurf On May 25, 2012, at 2:31 AM, Collen wrote: Hi, why not export with pdbedit and then import it again ?! no converting needed... (except for smb.conf that is.) cheers. On 25-5-2012 0:01, Gaiseric Vandal wrote: Just what is in the documentation on samba.org. Anything involving plain-text authentication seems to be discouraged. On 05/24/12 17:56, aurfalien wrote: On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- --- Collen Blijenberg - systeem/netwerk beheerder -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
I would also like to add that since Samba and in effect Windows does not behave like Nix with regards to who you are and what you are trying to do, looks like I will have to integrate PDC functionality into my LDAP server :( Man, this easily quadruples my over all LDAP database, gross. But at least SSO will work. Am I on the right track? - aurf On May 25, 2012, at 9:44 AM, Gaiseric Vandal wrote: pbdedit will export the Windows password from the SambaNTPassword field (won't it?) My understanding was the pGina was using the unix password in the userPassword field?Or am I wrong? On 05/25/12 09:36, aurfalien wrote: Now thats brilliant, elegant and simple. Thanks Collen, looking forward to trying it. - aurf On May 25, 2012, at 2:31 AM, Collen wrote: Hi, why not export with pdbedit and then import it again ?! no converting needed... (except for smb.conf that is.) cheers. On 25-5-2012 0:01, Gaiseric Vandal wrote: Just what is in the documentation on samba.org. Anything involving plain-text authentication seems to be discouraged. On 05/24/12 17:56, aurfalien wrote: On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- --- Collen Blijenberg - systeem/netwerk beheerder -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
I understand what you are trying to accomplish. However I do not know which LDAP field is used for the pGina password- I believe it is userPassword but I am not sure. If seems to me you have three options 1. Crack the unix passwords so you can create matching windows passwords. 2. Configure Samba and your Windows clients to use plain text authentication so that your unix passwords can be used for authentication. 3. Prior to switching users to samba, have them create their samba passwords. Or you may have to set an initial password for each user. If I were to try to have users set their samba passwords, I would probably try to set up a web page that validates their login against the current non-samba password (Plaintext auth over SSL encryption ) , then passes the password and user name to a script to set their samba password. It would be simpler if the Windows machines were in a Samba domain - but that may be tricky to do. On 05/25/12 09:57, aurfalien wrote: I am using pGina for authing, correct. But when I map drive shares, I'll need some kind of authing mechanism. My desire was this; Since I already auth the user during there pGina login to Windows, I did not want to auth again for drive mapping to a Samba server. But... since this SSO doesn't carry through to Samba as the Samba file server does not know who this person is requesting a drive map, they will need to input credentials. What I would really LOVE is this; Since authing has already been taking care of during log in, to be able to map a drive as that user w/o needing the input a password. This way whatever they touch on the server will maintain there UID/GID or UGO rather. This in effect will make Samba act as NFS in a way with regards to security (who are you and what are you allowed to do). - aurf On May 25, 2012, at 9:44 AM, Gaiseric Vandal wrote: pbdedit will export the Windows password from the SambaNTPassword field (won't it?) My understanding was the pGina was using the unix password in the userPassword field?Or am I wrong? On 05/25/12 09:36, aurfalien wrote: Now thats brilliant, elegant and simple. Thanks Collen, looking forward to trying it. - aurf On May 25, 2012, at 2:31 AM, Collen wrote: Hi, why not export with pdbedit and then import it again ?! no converting needed... (except for smb.conf that is.) cheers. On 25-5-2012 0:01, Gaiseric Vandal wrote: Just what is in the documentation on samba.org. Anything involving plain-text authentication seems to be discouraged. On 05/24/12 17:56, aurfalien wrote: On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- --- Collen Blijenberg - systeem/netwerk beheerder -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
Presumably with the PGINA/LDAP solution, the has method is something unix-compatible (e.g. unix crypt+md5, or SSHA) that is hard to break with a password cracking program? Are the LDAP transmissions done in the clear? If so, you could sniff the traffic and capture the passwords. (You may not consider this ethical.) Either way, if you had a database of plain text passwords you could then create the NTLM passwords for each user. You could try configuring samba to use permit plain text passwords for authentication. I think (but not sure) that could then configure samba to use pam authentication (the same way a unix login would.) But you would then need to configure all the Windows PC's to support plain text passwords. On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
Hi Gaiseric, I tried w/o success in configuring Samba + PAM last night. Do you know now of any documentation that would help? - aurf On May 24, 2012, at 5:35 PM, Gaiseric Vandal wrote: Presumably with the PGINA/LDAP solution, the has method is something unix-compatible (e.g. unix crypt+md5, or SSHA) that is hard to break with a password cracking program? Are the LDAP transmissions done in the clear? If so, you could sniff the traffic and capture the passwords. (You may not consider this ethical.) Either way, if you had a database of plain text passwords you could then create the NTLM passwords for each user. You could try configuring samba to use permit plain text passwords for authentication. I think (but not sure) that could then configure samba to use pam authentication (the same way a unix login would.) But you would then need to configure all the Windows PC's to support plain text passwords. On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
Just what is in the documentation on samba.org. Anything involving plain-text authentication seems to be discouraged. On 05/24/12 17:56, aurfalien wrote: Hi Gaiseric, I tried w/o success in configuring Samba + PAM last night. Do you know now of any documentation that would help? - aurf On May 24, 2012, at 5:35 PM, Gaiseric Vandal wrote: Presumably with the PGINA/LDAP solution, the has method is something unix-compatible (e.g. unix crypt+md5, or SSHA) that is hard to break with a password cracking program? Are the LDAP transmissions done in the clear? If so, you could sniff the traffic and capture the passwords. (You may not consider this ethical.) Either way, if you had a database of plain text passwords you could then create the NTLM passwords for each user. You could try configuring samba to use permit plain text passwords for authentication. I think (but not sure) that could then configure samba to use pam authentication (the same way a unix login would.) But you would then need to configure all the Windows PC's to support plain text passwords. On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
