On Wed, 2010-03-17 at 13:40 +0800, David Adam wrote: > On Tue, 16 Mar 2010, SMC wrote: > > On Monday 15 March 2010 22:42:41 Mike wrote: > > > I may well be insane, but as soon as I read your question, I thought > > > "how novel" and now want to find out the answer, myself. > > > > Well, not necessarily novel if I reword my question as "Would I still have > > to > > maintain two separate authentication databases if I want to use Samba4 with > > some non-Microsoft clients that don't have Samba installed?" > > > > For example, can Samba4 work with mail or web servers that can authenticate > > via "LDAP", or simple Linux workstations that I don't necessarily want to > > implement and maintain full-scale "ActiveDirectory(tm)"-mode authentication > > for? > > > > The need to maintain two separate authentication databases has been my > > biggest > > annoyance with Samba (I realize this isn't the fault of Samba but rather a > > consequence of Microsoft's "special" password-hashing method). That means > > if you don't use Samba every time you change your password, you end up with > > your normal password and your Windows/Samba password out of sync. > > We use the smbk5pwd overlay for OpenLDAP to solve this problem - when you > change your password using 'passwd' on a Linux machine or on a Windows > machine, all password entries are updated.
I have to say that smbk5pwd and the hooks I added to Samba to make this work have been a great stopgap for the past few years. (I also wrote the original extensions to Heimdal to have it read the sambaNTPassword attribute, and the other Samba flags. ) With Samba4, the restrictions we have in the AD design (much closer integration with the KDC and LDAP server) have meant that these parts must now be under Samba4's control. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba