danny at cs.huji.ac.il
Fri May 22 15:19:32 GMT 1998
In message <Pine.LNX.3.96.980522142543.5288w-100000 at regent.cb1.com>you write:
}danny, can we move this to samba-technical? send me bits you think should
}be private (like the sec by ob) private...
done. im only cc'ing this one to you just in case.
}On Fri, 22 May 1998, Danny Braniss wrote:
}> depends, for unix i just pass the hash, for nt/win i also pass the
}> challenge, and it also does OTP,
}what is otp?
One Time Password - we have these cards that generate a otp, for
people that login from untrusted-sites, and will be giving them out to
student's so they can work in the open spaces.
}so you are implementing pass-through, or trusted domains, already? in
}fact what you've done is make samba a "client" of your authentication
}what we have in samba with the current password database api is a
}so in fact what you would ideally need to do is to put the samba passdb.c
}etc API code into your _authentication_ server!
}damn and bugger. tricky. let me think about this one.
the way i see it, i'm moving towards the Unified Theory of Relativity ...
one authetication server for all.
}are you sure that if you can "set" the LM/NT passwords you can't add a
}"get"? NIS+ and ldap have the ability to do encrypted fields: can you not
}do "radius", which i assume is some encryption method, between the samba
}server and your authentication server?
I can do what i please to do, but then again, it's a production system
serving over 300 ws. Since the net is switched, im not woried about
sniffing. and samba is running on a 'safe/secure' host - we have intel
boxes to spare.
the main problem i have with my authentication-server
(idNG), is that clients must believe the answer comming from it, and
so im working on a pgp base encryption. anyway, let me see what you
have done and i'll see what i can do.
}in that case if you can call a "set LM/NT hash", which is clear-text
}equivalent and presumably gets passed either in-the-clear (which is a
}security risk) or two-way-encrypted (ssl / rc4 / radius?), to the
}authentication server, why can you not add a "get LM/NT hash"?
}> what i did to enable nt-dom, was that when a user in the unix domain,
}> requests authentication, and it's ok, and there is yet no nt/lm
}> password i generate one.
}how? from what? from the clear-text password?
}danny, if you want your database to support NT domains, you are going to
}need to support "get/add/mod" for a complete struct smb_passwd or struct
}sam_passwd entry: these both have NT and LM hashes. if you need a unix
}password in there too, we can add a unix_crypt field, too, but only to
}the reason is that to do SAM replication, one Samba PDC needs to be able
}to obtain a complete struct sam_passwd entry and transfer it to a BDC.
im not planing, at this stage to run a BDC - i am runing with 2
namesevers, one NIS server, and one authentication-server and things
are very stable -- FLW (Famous Last Words :-). I might need a BDC if I
go ahead and subnet/vlan the network.
}you also need it for checking the old password, when changing passwords.
to change the password, the API sends both the old and new, if ok then
the change is made - to all hashes - unix,nt,ln.
}> ps: btw, im doing yet another cvs xfer, no signes of pdb_ -yet-, it's
}> BRANCH_NTDOM yes?
}no - main branch. what will become 1.9.19alpha soon. BRANCH_NTDOM was
}dropped about six to eight weeks ago.
}keep going, we'll get there!
good thing im not paying for net usage :-)
More information about the samba-technical