[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Samba, email, LDAP and password integration and management



Hi Brian!

You won't be able to use the same password-attributes for Windows and other systems. Samba stores its data in two attributes (lmPassword and ntPassword or similar). These are hashes of the user-password which aren't compatible with - let's say - crypt or MD5 which are used by a lot of Unix-flavors.

The only way is to store these passwords in different attributes and synchronize them. Samba supports calling a script on password change (see man smb.conf, search for "passwd program" and "passwd chat"). Linux can synchronize the windows-passwords via PAM. The password-change script which would be called by Samba could check the quality of the password.

This ain't nice but with a bit luck it should work...

BTW: The Windows-hashes are not very secure and should be protected by good ACLs.


Chris

Brian Johnson wrote:
I set up a test server about a year ago to try this and gave up since it didn't seem
that the processes were quite yet in place to do it ..

I am evaluating the potential for Samba and Linux accounts (including postfix email
accounts) to share the same passwords (between software) and have a process in place
to encourage users to change their passwords and try to prevent esay to crack passwords

Could someone please confirm whether they have such a system working and how
difficult it was to set up?

When I looked at it before, it seemed that although Samba could use LDAP, it used a
different schema from the standard system accounts and therefore there was not
really any sharing of password data

If it matters, my server I'd like to do this on is a Redhat 7.3 system