[Samba] PDC/Roving Profiles/and Password Encryption
Hi All, Well, despite my general idiocy I've managed to get PDC and roving profiles working perfectly in my test situation. Obviously, this isn't good enough since computers are the devil, so I've run into some more problems. Fortunately for the Samba team, this isn't a problem with Samba - I think it's more a problem with how our network is set up here. Basically, I'm wondering if there's a way to enable PDC and roving profiles using UNencrypted passwords. I have it working WITH encrypted passwords, but this presents a problem as we're using an LDAP database that takes unencrypted passwords, and then when we actually login to a server (say the student server), the actual student server does the password hashing. I'm not sure if that explanation makes sense, but the important thing is that each client computer MUST have cleartext passwords enabled or they cannot login to the student server. As far as I can tell, this is what happens when I login to the domain from my 2K box using unencrypted passwords. I get into the domain just fine - if I have a profile path declared, I get an error saying that the profile cannot be loaded. This stems from the client not getting a true PDC authentication with the server, as the server's shares are not viewable until I run a "NET USE" command that includes a valid username and password. Once that is done, I can view any of the shares fine. If there's a way to circumvent this problem or if I've managed to screw yet another thing up, let me know. And a preemptive thanks to John - you've been a lot of help :) Thanks! Dan - Do you Yahoo!? Free online calendar with sync to Outlook(TM). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/Roving Profiles/and Password Encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Message: 8 > Date: Tue, 3 Jun 2003 07:11:15 -0700 (PDT) > From: Dan Kador <[EMAIL PROTECTED]> > Subject: [Samba] PDC/Roving Profiles/and Password Encryption > To: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > Hi All, > > Well, despite my general idiocy I've managed to get PDC and roving > profiles working perfectly in my test situation. Obviously, this > isn't good enough since computers are the devil, so I've run into some > more problems. > > Fortunately for the Samba team, this isn't a problem with Samba - I > think it's more a problem with how our network is set up here. > > Basically, I'm wondering if there's a way to enable PDC and roving > profiles using UNencrypted passwords. No, no Windows clients will join a domain with clear-text passwords. > I have it working WITH > encrypted passwords, but this presents a problem as we're using an > LDAP database that takes unencrypted passwords, and then when we > actually login to a server (say the student server), the actual > student server does the password hashing. I'm not sure if that > explanation makes sense, but the important thing is that each client > computer MUST have cleartext passwords enabled or they cannot login to > the student server. Not totally true, you can have samba authenticate against the NT password has stored in LDAP, and use synchronisation tools to keep the unix hash and the NT hash in sync. > > As far as I can tell, this is what happens when I login to the domain > from my 2K box using unencrypted passwords. I get into the domain > just fine - if I have a profile path declared, I get an error saying > that the profile cannot be loaded. This stems from the client not > getting a true PDC authentication with the server, as the server's > shares are not viewable until I run a "NET USE" command that includes > a valid username and password. Once that is done, I can view any of > the shares fine. > Well, you won't be able to join new machines to the domain either. > If there's a way to circumvent this problem or if I've managed to > screw yet another thing up, let me know. And a preemptive thanks to > John - you've been a lot of help > See http://www.mandrakesecure.net/en/docs/samba-pdc.php for details in getting samba running on an LDAP backend the easy way, and http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php (not totally complete yet) for adding in some cool features. Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+3dJxrJK6UGDSBKcRAia0AJ4sqR+pjH+cu9f1YVtuKCgXqMe4iwCeOS99 yMeZmFDPQvMY134Ye1UOY5E= =63VC -END PGP SIGNATURE- ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/Roving Profiles/and Password Encryption
Buchan, So you're saying that it IS possible for my setup to work? I'll definitely give those guides a read through and maybe I'll be able to work through them. I want to be sure I understand you correctly, though - I can enable password encryption on the samba server, keep password encryption OFF on the clients, and use the LDAP database and migrate the passwords stored there to the samba server? Thanks, Dan Buchan Milne <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, no Windows clients will join a domain with clear-text passwords. Not totally true, you can have samba authenticate against the NT password has stored in LDAP, and use synchronisation tools to keep the unix hash and the NT hash in sync. Well, you won't be able to join new machines to the domain either. See http://www.mandrakesecure.net/en/docs/samba-pdc.php for details in getting samba running on an LDAP backend the easy way, and http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php (not totally complete yet) for adding in some cool features. Buchan - -- |--Another happy Mandrake Club member--| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+3dJxrJK6UGDSBKcRAia0AJ4sqR+pjH+cu9f1YVtuKCgXqMe4iwCeOS99 yMeZmFDPQvMY134Ye1UOY5E= =63VC -END PGP SIGNATURE- ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. ** - Do you Yahoo!? Free online calendar with sync to Outlook(TM). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/Roving Profiles/and Password Encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Kador wrote: > Buchan, > > So you're saying that it IS possible for my setup to work? Yes, with some minor changes. > I'll > definitely give those guides a read through and maybe I'll be able to > work through them. > > I want to be sure I understand you correctly, though - I can enable > password encryption on the samba server, keep password encryption OFF on > the clients Password encryption will have to be on on the clients to join the domain. > and use the LDAP database and migrate the passwords stored > there to the samba server? You will have to migrate passwords into samba while it is using clear-text passwords (see 'update encrypted'), on a local file, then once you have had your accounts migrated into smbpasswd file, you can migrate them into LDAP easily. You need to have encrypted passwords stored somewhere for this to work, but that doesn't mean you can put everything in LDAP. Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+3kAlrJK6UGDSBKcRAkGRAKCD3JhjGekF4uv/9zeb5Ml4OgDBlwCdGo5E CoWdzl/Zy2Aa4PSA7eQe7PM= =JbHp -END PGP SIGNATURE- ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
