Re: [Samba] ldap password sync and RFC2307 hash schemes

[Logan Shaw]

On Fri, 30 Jun 2006, Logan Shaw wrote:

I'm running Samba on Slackware 10.2.  As near as I can tell
based on looking at the glibc source, my options for Unix
passwords (in /etc/passwd, or LDAP -- same options) are these:

1.  crypt() with plain old, busted traditional hashing.
2.  crypt() with MD5 hashing, via $1$saltsalt$hashhashhashhash
   format; the crypt() function the special format and
   automatically uses the MD5 algorithm.



Now, here's the question:  how do I do the equivalent thing
for Samba?  How do I make Samba know it should use the crypt
scheme for userPassword?  If I put

ldap password sync = Yes

into smb.conf, then it is going to update userPassword
attributes, but how is it going to know that I need it to
use the crypt hash scheme?  Or does it send a plaintext
password and let the LDAP server take care of that?  Is this
a function of Samba or is it a function of the LDAP server?


To answer my own question, the answer seems to be that Samba
will do an exop (extended operation) when talking to the LDAP
server and will ask it to change the password.  That means
I can have the OpenLDAP server select the correct password
hashing scheme by putting this into slapd.conf:

password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

In other words, slapd.conf has very similar options to what
I had put into smbldap.conf.

(Now, if I could only figure out why sometimes ldappasswd,
which triggers a password exop, causes my password to get
reset to "*".  But that's another battle, I think...)

  - Logan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ldap password sync and RFC2307 hash schemes

[Logan Shaw]

Hey everyone,

I'm running Samba on Slackware 10.2.  As near as I can tell
based on looking at the glibc source, my options for Unix
passwords (in /etc/passwd, or LDAP -- same options) are these:

1.  crypt() with plain old, busted traditional hashing.
2.  crypt() with MD5 hashing, via $1$saltsalt$hashhashhashhash
format; the crypt() function the special format and
automatically uses the MD5 algorithm.

Obviously, out of the two, the second one is preferable.

So, I've configured smbldap-tools by putting the following
in smbldap.conf:

hash_encrypt="CRYPT"
crypt_salt_format="$1$%.8s"

So far, so good.  Running smbldap-passwd causes crypt()-style
MD5 passwords to go into userPassword attributes in LDAP, and
Unix users can login just fine.  The userPassword attributes
look like

{crypt}$1$saltsalt$hashhashhashhash

just as RFC 2307 says they should if they are using the crypt
hash scheme.

Now, here's the question:  how do I do the equivalent thing
for Samba?  How do I make Samba know it should use the crypt
scheme for userPassword?  If I put

ldap password sync = Yes

into smb.conf, then it is going to update userPassword
attributes, but how is it going to know that I need it to
use the crypt hash scheme?  Or does it send a plaintext
password and let the LDAP server take care of that?  Is this
a function of Samba or is it a function of the LDAP server?
For what it's worth, I'm using OpenLDAP.  I know if I use
the OpenLDAP program slappasswd, I can tell manually *it*
to generate passwords using the crypt scheme, but that's not
the same thing as what the LDAP server does when it receives
a password changing exop from Samba.

For now, I'm planning to "solve" this problem by putting

unix password sync = Yes
passwd program = /path/to/smbldap-passwd -u %u
passwd chat = (stuff appropriate for smbldap-passwd)

into smb.conf.  But this strikes me as a little ugly.  As I
understand it, smbldap-passwd changes LM and NT hashes, and so
does Samba, so when Samba is asked to change a user's password,
Samba is going to change LM and NT hashes, and then it's going
to call smbldap-passwd which is going to change them again.
I don't *know* of a reason why this is harmful, but it doesn't
seem very clean...

  - Logan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba