passwords

tschweikle at FIDUCIA.de tschweikle at FIDUCIA.de
Thu Mar 23 15:47:23 GMT 2000 

On Thu, 23 Mar 2000, Sander Striker wrote:

> >On Thu, 23 Mar 2000, Sander Striker wrote:
> >
> >> Hmmm, interesting point. Let's do some creative thinking.
> >> Is there a way to set the password in smbpasswd (or the
> >> samr db) the first time a user ever logs in? Meaning that
> >> if a user is marked [first time user], his password is
> >> checked in an alternative way(using pam?), and setting the
> >> password to this value if it is correct. Luke?
>
> >> There is a transitional fase parameter built into samba
> >> [...]
>
> >added to samba at least 2 years ago: update encrypted password in
> >smb.conf. It means you have to disable encypted password on the windows
> >box as you need the clear text password to check against anything other
> >than the NT/LM hashes.
>
> Yep, that was what I was thinking about, or at least trying to remember.
> It is still enabled then. Might me an option.
> I think however that disabling encryption in the clients is considered
> more of a hassle. People tend to loosen their security policy for a
> 'short' interval if they can get away with temporary centralized
> modifications ie. on the server. :-)
> This gave me another idea though, which isn't very nice, but could/would
> do the trick. Whenever the 'first time user' (which has ofcourse to be
> defined and not disabled) logs in, the NT/LM hash is stored and used
> for further reference. This is a major security risk and should be done
> in a controlled environment. Also the time window for this should be
very
> limited. If you don't trust everyone/anyone you can put the newly set
hashes
> in a queue for nightly evaluation (or any other (idle) time for that
> matter),
> to crack the hash and check the password against /etc/passwd or
equivalent.
> You would have to find a tool that does this for you... or write one :-)
>
> Hmmm, there was something in this department some time ago on
samba-tech,
> let's see:

I avoided all this stuff authenticating UNIX users against samba.
I am not sure this is possible with all UNIX flowers around, but
linux and solaris do work. You would have to use pam_smb to accomplish
this. creating a soft link from passwd to smbpasswd makes UNIX users
use smbpasswd. Win98 and NT users can change there passwords the
was they are used to.

--

More information about the samba-ntdom mailing list