[Samba-it] Samba PDC LDAP - non va niente !

[Piviul]

giuseppe pasqualotto wrote:
> Perdonami, qui non capisco. A Samba cosa arriva dal client? Non arriva
> forse l'hash LM o NT della password, che Samba confronta con quelle che
> lui ha gia da qualche parte (smbpasswd, tdb, ldap, mysql, ecc.)?

AFAIK si scambiano soltanto la password LM o NT criptata:
> When a client requests a connection to an SMB server that supports encrypted passwords (such as Samba or Windows NT/2000/XP), the two computers undergo the following negotiations:
> 
>    1. The client attempts to negotiate a protocol with the server.
>    2. The server responds with a protocol and indicates that it supports encrypted passwords. At this time, it sends back a randomly generated 8-byte challenge string.
>    3. The client uses the challenge string as a key to encrypt its already encrypted password using an algorithm predefined by the negotiated protocol. It then sends the result to the server.
>    4. The server does the same thing with the encrypted password stored in its database. If the results match, the passwords are equivalent, and the user is authenticated.
> 
> Note that even though the original passwords are not involved in the authentication process, you need to be very careful that the encrypted passwords located inside the smbpasswd file are guarded from unauthorized users. If they are compromised, an unauthorized user can break into the system by replaying the steps of the previous algorithm. The encrypted passwords are just as sensitive as the plain-text passwords—this is known as plain-text-equivalent data in the cryptography world. Of course, your local security policy should require that the clients safeguard their plain-text-equivalent passwords as well.

(tratto da http://us1.samba.org/samba/docs/using_samba/ch09.html)

Piviul