Yes. And once Samba4 is a full-fledged member of an AD domain, the
other AD servers will happily replicate data to it... including the
clear-text password. Samba4 can then expose it in the userPassword field.
Ah, so samba4 as a PDC rather than member server, peering with microsoft
PDCs. That is an option I had not considered, and is certainly an
interesting possibility, though still dependent on the per-account or
whole-domain setting and a password change.
The reason IAS works is that it does super-secret magic Microsoft
calls that no one has figured out. If Samba4 is a member of the AD
domain, it doesn't have to figure out those calls.
Indeed.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html