[Samba-it] Samba PDC LDAP - non va niente !

giuseppe pasqualotto giuseppe.pasqualotto at unifi.it
Wed Mar 9 15:09:01 MST 2005 

Piviul wrote:

> giuseppe pasqualotto wrote:
>
>> Perdonami, qui non capisco. A Samba cosa arriva dal client? Non arriva
>> forse l'hash LM o NT della password, che Samba confronta con quelle che
>> lui ha gia da qualche parte (smbpasswd, tdb, ldap, mysql, ecc.)?
>
>
> AFAIK si scambiano soltanto la password LM o NT criptata:
>
>> When a client requests a connection to an SMB server that supports 
>> encrypted passwords (such as Samba or Windows NT/2000/XP), the two 
>> computers undergo the following negotiations:
>>
>> 1. The client attempts to negotiate a protocol with the server.
>> 2. The server responds with a protocol and indicates that it supports 
>> encrypted passwords. At this time, it sends back a randomly generated 
>> 8-byte challenge string.
>> 3. The client uses the challenge string as a key to encrypt its 
>> already encrypted password using an algorithm predefined by the 
>> negotiated protocol. It then sends the result to the server.
>> 4. The server does the same thing with the encrypted password stored 
>> in its database. If the results match, the passwords are equivalent, 
>> and the user is authenticated.
>>
>> Note that even though the original passwords are not involved in the 
>> authentication process, you need to be very careful that the 
>> encrypted passwords located inside the smbpasswd file are guarded 
>> from unauthorized users. If they are compromised, an unauthorized 
>> user can break into the system by replaying the steps of the previous 
>> algorithm. The encrypted passwords are just as sensitive as the 
>> plain-text passwords�this is known as plain-text-equivalent data in 
>> the cryptography world. Of course, your local security policy should 
>> require that the clients safeguard their plain-text-equivalent 
>> passwords as well.
>
>
> (tratto da http://us1.samba.org/samba/docs/using_samba/ch09.html)
>
> Piviul
> _______________________________________________
> Samba-it mailing list
> Samba-it at xsec.it
> https://lists.xsec.it/mailman/listinfo/samba-it
>
Tutto chiaro,
grazie.
Giuseppe

More information about the samba-it mailing list