OT: change NT login procedure

Osama Abu-Aish osabmt00 at fht-esslingen.de
Wed Jan 31 10:18:22 GMT 2001 

Am 31 Jan 2001, um 9:34 Uhr schrieb James Sutherland zum Thema Re: OT: change NT login procedure:
Dazu meine Meinung:

> Against NT's "encryption", dictionary attacks are trivial (a few minutes
> to run a large wordlist); even brute force on an ordinary desktop PC isn't
> hard.
true - and one more reason to switch to a different authentication schema :)
 
> 1. There is a pair of DLLs Novell replace in NDS for NT, which diverts all
> NT auth stuff (including password changes) onto the NDS tree.
I've searched Novel's technical sites and also found this. Seems to be
a reaseonable way. I'm going to investigate the NISGINA code if it
could be modified to do what I want.

> 2. You can provide a "password filter" DLL to implement password checking
> when the user changes password (e.g. check the new password is over X
> characters, mixed case and numbers) - obviously, this DLL *IS* passed the
> plaintext password - and username, I think.
but this only allowes password-related actions. What I'm looking for is something
more general. I want NT to retrieve _all_ it's account information from the LDAP
directory.

> Actually, if the NT machine tries to change the password on the Samba
> machine, it should be synchronised back to Unix anyway, shouldn't it? In
> which case, with Samba as your PDC, you should be OK.
True - as long as no user changes his passwd on the unix command line as
this would destroy synchronization. IMHO as long as there are two different
user databases for windows and unix there is always the risk of getting them
out of sync. Using a single database for both systems would solve this problem.
 
> The question is, can you get NT servers to authenticate against a Samba
> PDC now???
Don't know exactly what You mean:
1.) You can make a NT server member of a samba controlled domain. But then
the question is - why use NT server and not WKS since the difference is
server's ability to act as PDC?

2.) If You mean that the clients authenticat against a NT server passing the
authentication through to samba (somehow like samba's "password server"
feature) - i don't think this is possible. But maybe I'm wrong here.

Novell addresses this by replacing SAMLIB.DLL (the one which provides
account database access) by their own. This must only be done on the
servers to make them look up the account information in the NDS instead
of their local SAM.

Osama

---
Fachhochschule für Technik Esslingen
Außenstelle Goeppingen

More information about the samba-technical mailing list