OT: change NT login procedure

Toomas Soome tsoome at ut.ee
Wed Jan 31 07:23:14 GMT 2001

Osama Abu-Aish wrote:
> Hi out there,
> this is somehow OT, but I thought to find the most competent
> people my idea here:
> Background:
> Since NT-UNIX password / account synchronization is a never
> ending story with many traps I had an idea and wonder if anybody
> has tried this before and could probably help me by sharing
> his/her knowledge.
> Since NT and UNIX use different security models, it is impossible
> to integrate both into one central security database. Samba is
> to a certain degree able to provide authentication to NT, but
> it can't resolve the problem of having two password databases.
> Idea:
> All current implementations try to adapt the UNIX-side to match
> the requirements given by NT. Now I wonder if it shouldn't be
> possible to change the NT-side. What I'm dreaming of is all
> our NT WKS authenticating against a LDAP-Server.
> This _must_ somehow be possible since novell manages it
> with their NDS directory.
> What I understand from MS documentation is that custom
> authentication is supported and that two dll's must be created:
> a graphical user interface (GINA) and a authentication package.
> Questions:
> 1.) Does this make sense at all or is it only YASI (Yet another
>      stupid idea :-)?
> 2.) Has anybody tried something like this and could provide me
>      with any information?
> 3.) Would someone be interested in following this track?

I have implemented 1-way just now, but 2 way sync is planned and is
waiting implementation.

we have currently blocked passwd change from windows and all passwords
are changed from unix (Solaris). I have written PAM module for this
task, stacked below pam_unix. pam_unix will take care of unix passwords
and pam_smb will write password into smbpasswd NIS+ table. this is unix
-> windows direction. this works well in our case.

windows-> unix is a problem, because we do not get cleartext old
password from windows client (am I wrong?). if so, we must save
plaintext passwords into the safe place (crypted with some internal
key). it is generally bad idea to have plaintext passwords around, but
in university environment it is not totally unacceptable. I mean, such
database must be protected with some sort of encryption and if someone
wants passwords, well it is possible to use sniffers from pc classes,
one can do dictionary attack against password hashes etc.

so, if safe sorage for old (or current) passwords is implemented, next
task is to rewrite current samba interface for password change to use
standard pam interface (with old password from internal storage and new
password from client) and it's done. nice and clean. 

of course, there are but's. how to handle username maps, what happens if
we are going to have domain trust or kerberos environment etc... 

	A creature that can leap to tremendous heights... once.

More information about the samba-technical mailing list