28 Jan
2006
28 Jan
'06
7:18 a.m.
Yes. And once Samba4 is a full-fledged member of an AD domain, the other AD servers will happily replicate data to it... including the clear-text password. Samba4 can then expose it in the userPassword field.
Ah, so samba4 as a PDC rather than member server, peering with microsoft PDCs. That is an option I had not considered, and is certainly an interesting possibility, though still dependent on the per-account or whole-domain setting and a password change.
The reason IAS works is that it does super-secret magic Microsoft calls that no one has figured out. If Samba4 is a member of the AD domain, it doesn't have to figure out those calls.
Indeed.