[Samba-it] Samba PDC LDAP - non va niente !
giuseppe pasqualotto
giuseppe.pasqualotto at unifi.it
Wed Mar 9 15:09:01 MST 2005
Piviul wrote:
> giuseppe pasqualotto wrote:
>
>> Perdonami, qui non capisco. A Samba cosa arriva dal client? Non arriva
>> forse l'hash LM o NT della password, che Samba confronta con quelle che
>> lui ha gia da qualche parte (smbpasswd, tdb, ldap, mysql, ecc.)?
>
>
> AFAIK si scambiano soltanto la password LM o NT criptata:
>
>> When a client requests a connection to an SMB server that supports
>> encrypted passwords (such as Samba or Windows NT/2000/XP), the two
>> computers undergo the following negotiations:
>>
>> 1. The client attempts to negotiate a protocol with the server.
>> 2. The server responds with a protocol and indicates that it supports
>> encrypted passwords. At this time, it sends back a randomly generated
>> 8-byte challenge string.
>> 3. The client uses the challenge string as a key to encrypt its
>> already encrypted password using an algorithm predefined by the
>> negotiated protocol. It then sends the result to the server.
>> 4. The server does the same thing with the encrypted password stored
>> in its database. If the results match, the passwords are equivalent,
>> and the user is authenticated.
>>
>> Note that even though the original passwords are not involved in the
>> authentication process, you need to be very careful that the
>> encrypted passwords located inside the smbpasswd file are guarded
>> from unauthorized users. If they are compromised, an unauthorized
>> user can break into the system by replaying the steps of the previous
>> algorithm. The encrypted passwords are just as sensitive as the
>> plain-text passwords�this is known as plain-text-equivalent data in
>> the cryptography world. Of course, your local security policy should
>> require that the clients safeguard their plain-text-equivalent
>> passwords as well.
>
>
> (tratto da http://us1.samba.org/samba/docs/using_samba/ch09.html)
>
> Piviul
> _______________________________________________
> Samba-it mailing list
> Samba-it at xsec.it
> https://lists.xsec.it/mailman/listinfo/samba-it
>
Tutto chiaro,
grazie.
Giuseppe
More information about the samba-it
mailing list