Hello,
I am using Centos 6 with 389 DS. Everything is working, I can authenticate my users against it etc.
Now I am trying to make Samba authenticate against the LDAP by following http://directory.fedoraproject.org/wiki/Howto:Samba
However, it seems that Samba does not read the 'password' value, but 'sambaNTPassword'. I wrote in 389-DS mailing list and they said, that there is no way to make Samba read the 'password'. So I must end with two password (Samba and "normal" one). I can not sync them, since crypt algorithms are different and I can not just copy/paste the password to sambaNTPassword.
Did someone else had this issue? I need some file sharing software (can be even a web application), which can authenticate against LDAP, so all the people have one password for authentication.
Regards,
On Feb 27, 2013, at 8:22 AM, Todor Petkov wrote:
Hello,
I am using Centos 6 with 389 DS. Everything is working, I can authenticate my users against it etc.
Now I am trying to make Samba authenticate against the LDAP by following http://directory.fedoraproject.org/wiki/Howto:Samba
However, it seems that Samba does not read the 'password' value, but 'sambaNTPassword'. I wrote in 389-DS mailing list and they said, that there is no way to make Samba read the 'password'. So I must end with two password (Samba and "normal" one). I can not sync them, since crypt algorithms are different and I can not just copy/paste the password to sambaNTPassword.
Did someone else had this issue? I need some file sharing software (can be even a web application), which can authenticate against LDAP, so all the people have one password for authentication.
---- a lot of different ways to handle this - it all depends upon which language/tools you use.
I have used Webmin LDAP Users & Groups module which can set the sambaNTPassword and userPassword to the same value after encryption.
I have also written a framework application in ruby on rails for my current employer which does this and much much more.
There is also a smbldap-tools perl toolkit which can integrate with samba and can do the same thing.
Craig
On 27/02/2013 05:27 PM, Craig White wrote:
a lot of different ways to handle this - it all depends upon which language/tools you use.
I have used Webmin LDAP Users & Groups module which can set the sambaNTPassword and userPassword to the same value after encryption.
I have also written a framework application in ruby on rails for my current employer which does this and much much more.
There is also a smbldap-tools perl toolkit which can integrate with samba and can do the same thing.
Craig
Thanks, I will check smbldap-tools.
I have already users in LDAP. I know, it will be easy if there is a new user, then I will just use the same password in the values, but I need to sync the current encrypted password to SambaNTPassword, which uses a different algorithm. Or just reset and send a new password to the person, but if he wants to change it via ssh (passwd), it will change only the password, not the samba one.
As for crypt method: I meant "encryption algorithm". I am using SSHA passwords, not crypt.
Regards,
On Feb 27, 2013, at 8:50 AM, Todor Petkov wrote:
On 27/02/2013 05:27 PM, Craig White wrote:
a lot of different ways to handle this - it all depends upon which language/tools you use.
I have used Webmin LDAP Users & Groups module which can set the sambaNTPassword and userPassword to the same value after encryption.
I have also written a framework application in ruby on rails for my current employer which does this and much much more.
There is also a smbldap-tools perl toolkit which can integrate with samba and can do the same thing.
Craig
Thanks, I will check smbldap-tools.
I have already users in LDAP. I know, it will be easy if there is a new user, then I will just use the same password in the values, but I need to sync the current encrypted password to SambaNTPassword, which uses a different algorithm. Or just reset and send a new password to the person, but if he wants to change it via ssh (passwd), it will change only the password, not the samba one.
---- all of the known methods require an unencrypted value to then hash for LDAP sambaNTPassword and there is no way to take an encrypted value from userPassword and convert it to sambaNTPassword
Craig
On 27/02/2013 06:18 PM, Craig White wrote:
all of the known methods require an unencrypted value to then hash for LDAP sambaNTPassword and there is no way to take an encrypted value from userPassword and convert it to sambaNTPassword
Craig
Yeah, I know. I read many threads in 389-DS mailing list. I just wanted to be sure that there is no way to tell Samba 'use password instead of sambantpassword' before looking for other software for file sharing (not that I will expect to find any, everything nowdays is using some DB for users)
Thanks for the help to all who responded, I appreciate it.
On Wed, 2013-02-27 at 22:46 +0200, Todor Petkov wrote:
On 27/02/2013 06:18 PM, Craig White wrote:
all of the known methods require an unencrypted value to then hash for LDAP sambaNTPassword and there is no way to take an encrypted value from userPassword and convert it to sambaNTPassword
Craig
Yeah, I know. I read many threads in 389-DS mailing list. I just wanted to be sure that there is no way to tell Samba 'use password instead of sambantpassword' before looking for other software for file sharing (not that I will expect to find any, everything nowdays is using some DB for users)
---- It used to be possible by editing the registry on Windows boxes and disabling user password encryption (thus each user would send their passwords over the wire in clear text) but I don't know if such a thing is even possible with newer versions of Windows (Vista/Win7/Win8) and it was never a practical option.
Craig
Yes !!! Webmin is a real help on this and many many mire issues...
On 2/27/2013 10:27 AM, Craig White wrote:
On Feb 27, 2013, at 8:22 AM, Todor Petkov wrote:
Hello,
I am using Centos 6 with 389 DS. Everything is working, I can authenticate my users against it etc.
Now I am trying to make Samba authenticate against the LDAP by following http://directory.fedoraproject.org/wiki/Howto:Samba
However, it seems that Samba does not read the 'password' value, but 'sambaNTPassword'. I wrote in 389-DS mailing list and they said, that there is no way to make Samba read the 'password'. So I must end with two password (Samba and "normal" one). I can not sync them, since crypt algorithms are different and I can not just copy/paste the password to sambaNTPassword.
Did someone else had this issue? I need some file sharing software (can be even a web application), which can authenticate against LDAP, so all the people have one password for authentication.
a lot of different ways to handle this - it all depends upon which language/tools you use.
I have used Webmin LDAP Users & Groups module which can set the sambaNTPassword and userPassword to the same value after encryption.
I have also written a framework application in ruby on rails for my current employer which does this and much much more.
There is also a smbldap-tools perl toolkit which can integrate with samba and can do the same thing.
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Feb 27, 2013, at 8:22 AM, Todor Petkov wrote:
Hello,
I am using Centos 6 with 389 DS. Everything is working, I can authenticate my users against it etc.
Now I am trying to make Samba authenticate against the LDAP by following http://directory.fedoraproject.org/wiki/Howto:Samba
However, it seems that Samba does not read the 'password' value, but 'sambaNTPassword'. I wrote in 389-DS mailing list and they said, that there is no way to make Samba read the 'password'. So I must end with two password (Samba and "normal" one). I can not sync them, since crypt algorithms are different and I can not just copy/paste the password to sambaNTPassword.
Did someone else had this issue? I need some file sharing software (can be even a web application), which can authenticate against LDAP, so all the people have one password for authentication.
---- and by the way… if you actually want security for LDAP passwords (userPassword), use SSHA instead of crypt.
Craig
-
Craig White -
Craig White -
Hal Davison -
Todor Petkov