OT: change NT login procedure

Wed Jan 31 09:34:33 GMT 2001

On Wed, 31 Jan 2001, Toomas Soome wrote:

> Osama Abu-Aish wrote:
> > 
> > Hi out there,
> > 
> > this is somehow OT, but I thought to find the most competent
> > people my idea here:
> > 
> > Background:
> > 
> > Since NT-UNIX password / account synchronization is a never
> > ending story with many traps I had an idea and wonder if anybody
> > has tried this before and could probably help me by sharing
> > his/her knowledge.
> > Since NT and UNIX use different security models, it is impossible
> > to integrate both into one central security database. Samba is
> > to a certain degree able to provide authentication to NT, but
> > it can't resolve the problem of having two password databases.
> > 
> > Idea:
> > 
> > All current implementations try to adapt the UNIX-side to match
> > the requirements given by NT. Now I wonder if it shouldn't be
> > possible to change the NT-side. What I'm dreaming of is all
> > our NT WKS authenticating against a LDAP-Server.
> > This _must_ somehow be possible since novell manages it
> > with their NDS directory.
> > What I understand from MS documentation is that custom
> > authentication is supported and that two dll's must be created:
> > a graphical user interface (GINA) and a authentication package.
> > 
> > Questions:
> > 1.) Does this make sense at all or is it only YASI (Yet another
> >      stupid idea :-)?
> > 2.) Has anybody tried something like this and could provide me
> >      with any information?
> > 3.) Would someone be interested in following this track?
> > 
> 
> I have implemented 1-way just now, but 2 way sync is planned and is
> waiting implementation.
> 
> we have currently blocked passwd change from windows and all passwords
> are changed from unix (Solaris). I have written PAM module for this
> task, stacked below pam_unix. pam_unix will take care of unix passwords
> and pam_smb will write password into smbpasswd NIS+ table. this is unix
> -> windows direction. this works well in our case.
> 
> windows-> unix is a problem, because we do not get cleartext old
> password from windows client (am I wrong?). if so, we must save
> plaintext passwords into the safe place (crypted with some internal
> key). it is generally bad idea to have plaintext passwords around, but
> in university environment it is not totally unacceptable. I mean, such
> database must be protected with some sort of encryption and if someone
> wants passwords, well it is possible to use sniffers from pc classes,
> one can do dictionary attack against password hashes etc.

Against NT's "encryption", dictionary attacks are trivial (a few minutes
to run a large wordlist); even brute force on an ordinary desktop PC isn't
hard.

> so, if safe sorage for old (or current) passwords is implemented, next
> task is to rewrite current samba interface for password change to use
> standard pam interface (with old password from internal storage and new
> password from client) and it's done. nice and clean. 
> 
> of course, there are but's. how to handle username maps, what happens if
> we are going to have domain trust or kerberos environment etc... 

Two possibilities:

1. There is a pair of DLLs Novell replace in NDS for NT, which diverts all
NT auth stuff (including password changes) onto the NDS tree.

2. You can provide a "password filter" DLL to implement password checking
when the user changes password (e.g. check the new password is over X
characters, mixed case and numbers) - obviously, this DLL *IS* passed the
plaintext password - and username, I think.

Actually, if the NT machine tries to change the password on the Samba
machine, it should be synchronised back to Unix anyway, shouldn't it? In
which case, with Samba as your PDC, you should be OK.

The question is, can you get NT servers to authenticate against a Samba
PDC now???

James.