ldap lpPassword and ntPassword fields

Luke Kenneth Casson Leighton lkcl at switchboard.net
Tue Dec 15 20:15:48 GMT 1998

On Tue, 15 Dec 1998, Jeremy Allison wrote:

> Luke Kenneth Casson Leighton wrote:
> > 
> > ok, we may be able to make some modifications to pwdb_get_hex_pwd() and
> > set_hex_pwd() to encrypt the password string with some privately stored
> > information, e.g. syskey like nt does.
> What would be the point of that ? I never understood your
> obsession with re-implementing NT :-). The password still
> has to go over the wire in plaintext for ldap v2 so why
> bother obfuscating it. And how is the information in syskey
> private. It's just hidden somewhere else - security through
> obscurity.

yep, in the private/ directory or in a file in /etc/security.
> The syskey design in NT is just plain broken, as by default
> it just adds another obfuscation layer. The off-disk syskey
> storage *is* of value but you're surely not suggesting that
> for Samba ? And let's be honest. Hands up all the people who

no, i'm not.  copying the syskey format is of benefit here, not storing it
on floppy unless unix admins really want to.

the idea is to use a private, local file to obfuscate over-the-wire data.
then you can transmit private/smbpasswd files as you wish, or store ldap
or nisplus data as you wish, but to decode it you must keep the
obfuscation file secret.

More information about the samba-technical mailing list