OT: change NT login procedure

Osama Abu-Aish osabmt00 at fht-esslingen.de
Wed Jan 31 09:00:48 GMT 2001

Am 31 Jan 2001, um 9:23 Uhr schrieb Toomas Soome zum Thema Re: OT: change NT login procedure:
Dazu meine Meinung:

> we have currently blocked passwd change from windows and all passwords
> are changed from unix (Solaris). I have written PAM module for this
> task, stacked below pam_unix. pam_unix will take care of unix passwords
> and pam_smb will write password into smbpasswd NIS+ table. this is unix
> -> windows direction. this works well in our case.
I know that PAM enables us to authenticate a unix box against windows.
What I'm looking for is the other way round: windows->unix. 

> windows-> unix is a problem, because we do not get cleartext old
> password from windows client (am I wrong?). if so, we must save
The GINA is the part of the authentication system that receives the
password from the user. So there we have the plaintext passwd and
can do anything with it (like crypt()ing and updation in the unix-fashion).

> plaintext passwords into the safe place (crypted with some internal
> key). it is generally bad idea to have plaintext passwords around, but
> in university environment it is not totally unacceptable. I mean, such
> database must be protected with some sort of encryption and if someone
> wants passwords, well it is possible to use sniffers from pc classes,
> one can do dictionary attack against password hashes etc.
Off course the implementation must match the local requierements
concerning security. In many environments NIS is used which sends
the passwd-hashes (which are cleartext equivalent) over the wire. And
AFAIK LDAP authentication sends also the passwd in cleartext.
The charme of an open implementation of a NT authentication package
would be that it could be easily modified (IMHO that's what makes PAM
so powerful). I.e.one could integrate SSL to protect the login-process.

Apart from this it's not only password synchronisation I'm thinking of
(but off course it's the most important aspect), but I'd like to have a central
user database containing _all_ account information. The best thing
for me would be a LDAP directory containing an object for each user with
_all_ information needed by windows, unix, etc...

> so, if safe sorage for old (or current) passwords is implemented, next
> task is to rewrite current samba interface for password change to use
> standard pam interface (with old password from internal storage and new
> password from client) and it's done. nice and clean. 
But this doesn't solve the problem that samba never sees the cleartext
passwd because on standard NT authentication only the MD4'ed passwd
is available to samba. Therefore it can't change the user's unix passwd.

> of course, there are but's. how to handle username maps, what happens if
> we are going to have domain trust or kerberos environment etc... 
which could perhaps be handled easier on the NT side...
Greetings Osama

Fachhochschule für Technik Esslingen
Außenstelle Goeppingen

More information about the samba-technical mailing list