Hey everyone, I'm running Samba on Slackware 10.2. As near as I can tell based on looking at the glibc source, my options for Unix passwords (in /etc/passwd, or LDAP -- same options) are these:
1. crypt() with plain old, busted traditional hashing. 2. crypt() with MD5 hashing, via $1$saltsalt$hashhashhashhash format; the crypt() function the special format and automatically uses the MD5 algorithm. Obviously, out of the two, the second one is preferable. So, I've configured smbldap-tools by putting the following in smbldap.conf: hash_encrypt="CRYPT" crypt_salt_format="$1$%.8s" So far, so good. Running smbldap-passwd causes crypt()-style MD5 passwords to go into userPassword attributes in LDAP, and Unix users can login just fine. The userPassword attributes look like {crypt}$1$saltsalt$hashhashhashhash just as RFC 2307 says they should if they are using the crypt hash scheme. Now, here's the question: how do I do the equivalent thing for Samba? How do I make Samba know it should use the crypt scheme for userPassword? If I put ldap password sync = Yes into smb.conf, then it is going to update userPassword attributes, but how is it going to know that I need it to use the crypt hash scheme? Or does it send a plaintext password and let the LDAP server take care of that? Is this a function of Samba or is it a function of the LDAP server? For what it's worth, I'm using OpenLDAP. I know if I use the OpenLDAP program slappasswd, I can tell manually *it* to generate passwords using the crypt scheme, but that's not the same thing as what the LDAP server does when it receives a password changing exop from Samba. For now, I'm planning to "solve" this problem by putting unix password sync = Yes passwd program = /path/to/smbldap-passwd -u %u passwd chat = (stuff appropriate for smbldap-passwd) into smb.conf. But this strikes me as a little ugly. As I understand it, smbldap-passwd changes LM and NT hashes, and so does Samba, so when Samba is asked to change a user's password, Samba is going to change LM and NT hashes, and then it's going to call smbldap-passwd which is going to change them again. I don't *know* of a reason why this is harmful, but it doesn't seem very clean... - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba