From: Peter Rundle [mailto:[EMAIL PROTECTED]]
>
> Sluggers,
>
> I've been busy converting my authentication system to LDAP for all
> my Solaris and Linux boxen. Converting NT however is proving to be
> a bit of a challenge. I was just given an off the wall suggestion
> that perhaps we should use the latest version of Samba (on Linux of
> course :-) as the PDC for the windows domain. Configure Samba to
> use pam_ldap to authenticate and hey presto.
>
> Anyone been there done that, got any advice before I charge in and
> get burnt? One thing that comes to mind is encrypted passwords, the
> LDAP server keeps the password in SHA format, if Samba get's an
> encrypted password in whatever Doze format, how can it make the
> comparison? or does Samba know how to decrypt the password coming
> from the Doze box so it can generate a Unix crypt passwd for
> pam_pwdb.so authentication?
>
> Any and all thoughts gratefully accepted.
Windows sends hashes, not actual passwords so the Samba server cannot
actually decrypt them unless you configure it to only accept plain-text
passwords from the Windows host and do a bit of hacking inside the Samba
code.
>From that, it sounds like the scheme you are proposing will not work and
you're going to have to maintain two password lists unless you can get a
different logon mechanism working on the NT boxes (this is possible but
pretty difficult to get working right).
I'm really not sure what to suggest here. Even if you do get auth working,
getting the password change mechanism happening seamlessly is going to be a
whole new area of pain. That's just my experience anyhow - the Samba guys
may know things I don't (more than possible).
John Wiltshire
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
