Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Why would samba4 be any different that samba3 in that regard?
Because Samba4 will be a full-fledged AD domain member. Samba3 is a second-class citizen of an AD domain, as it implements NT domains.
I assume we are talking about the same thing (samba as a member server with a "real" microsoft PDC) in which case the code that would need adding would be an API on the windows side - AD realms (in fact NT domains all the way back to NT4 IIRC) can already store the password in "reversibly encrypted" plaintext to support CHAP (only via IAS and only running on the physical PDC) or Digest MD5 on HTTP.
Yes. And once Samba4 is a full-fledged member of an AD domain, the other AD servers will happily replicate data to it... including the clear-text password. Samba4 can then expose it in the userPassword field. The reason IAS works is that it does super-secret magic Microsoft calls that no one has figured out. If Samba4 is a member of the AD domain, it doesn't have to figure out those calls. Alan DeKok.