Not *completely* relevant

[Richard Sharpe]

At 04:10 PM 1/18/00 +1100, Matthew Geddes wrote:
>Hi guys,
>
>I'm looking at having a single login/password for our users to access
>mail, logging into the NT domain, proxy authentication and others. What
>I'm after is your opinion on whether using something like PAM_SMB to
>authenticate the unix accounts is a good idea. The PDC is Linux with
>Samba-TNG as are all other servers bar one (NT). The load shouldn't be
>enough to break it.
>
>So, do you trust the NT Authentication method over the Unix one?

The UNIX Crypt function has a salt, which means that two users who use the
same password are unlikely to end up with the same password hash.  It seems
that this cannot be said for the NT MD4 or MD5 hash.

However, the biggest problem with PAM_SMB is that it uses my SMBlib, which
has some buffer overflows in it that I have never got around to fixing and
it does not implement encrypted passwords.  I have implemented the
encrypted stuff but never folded it back, so Dave Airlie never got it into
PAM_SMB.

You should probably use PAM_NTDOM, but that requires you run Samba as a
PDC, or have a PDC of some sort.

>I realise that it will mean an increase in network traffic around my
>servers, but how much?
>
>Does this sound like a *really* stupid idea for some reason I have quite
>obviously overlooked?
>
>Thanks heaps,
>
>Matt


Regards
-------
Richard Sharpe, sharpe at ns.aus.com, Master Linux Administrator :-),
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course