OT: change NT login procedure

Wed Jan 31 11:20:00 GMT 2001

On Wed, 31 Jan 2001, Osama Abu-Aish wrote:

> Am 31 Jan 2001, um 9:34 Uhr schrieb James Sutherland zum Thema Re: OT:
> change NT login procedure:
> Dazu meine Meinung:
> 
> > Against NT's "encryption", dictionary attacks are trivial (a few minutes
> > to run a large wordlist); even brute force on an ordinary desktop PC isn't
> > hard.
> true - and one more reason to switch to a different authentication schema :)

Indeed - using a Novell-style redirection seems like a nice solution.

One advantage is that this need only be done on the domain
controllers: all the domain members speak to the NT DC as if it were a
normal NT domain.

> > 1. There is a pair of DLLs Novell replace in NDS for NT, which diverts all
> > NT auth stuff (including password changes) onto the NDS tree.
> I've searched Novel's technical sites and also found this. Seems to be
> a reaseonable way. I'm going to investigate the NISGINA code if it
> could be modified to do what I want.

The downside is that this needs to be done per workstation; OTOH, if you
don't have/want any NT domain controllers, both solutions require
something (Novell Workstation Manager, or NISGINA) on each w/s anyway.

> > 2. You can provide a "password filter" DLL to implement password checking
> > when the user changes password (e.g. check the new password is over X
> > characters, mixed case and numbers) - obviously, this DLL *IS* passed the
> > plaintext password - and username, I think.
>
> but this only allowes password-related actions. What I'm looking for
> is something more general. I want NT to retrieve _all_ it's account
> information from the LDAP directory.

Right... I'd look at how Novell did it, then.

> > Actually, if the NT machine tries to change the password on the Samba
> > machine, it should be synchronised back to Unix anyway, shouldn't it? In
> > which case, with Samba as your PDC, you should be OK.
>
> True - as long as no user changes his passwd on the unix command line
> as this would destroy synchronization.

Not if you have a PAM to pass the update along to the Samba database as
well.

> IMHO as long as there are two different user databases for windows and
> unix there is always the risk of getting them out of sync. Using a
> single database for both systems would solve this problem.

Yes, that's the most elegant solution, I think.

> > The question is, can you get NT servers to authenticate against a Samba
> > PDC now???
>
> Don't know exactly what You mean:
> 1.) You can make a NT server member of a samba controlled domain. But then
> the question is - why use NT server and not WKS since the difference is
> server's ability to act as PDC?

There are a few other limitations as well (number of CPUs, lack of some
software) and an unenforced license limitation on number of clients
served; really, though, I meant "an NT server" not "a machine running
NT/2k Server Edition".

> 2.) If You mean that the clients authenticat against a NT server passing the
> authentication through to samba (somehow like samba's "password server"
> feature) - i don't think this is possible. But maybe I'm wrong here.
>
> Novell addresses this by replacing SAMLIB.DLL (the one which provides
> account database access) by their own. This must only be done on the
> servers to make them look up the account information in the NDS instead
> of their local SAM.

Replacing SAMLIB.DLL with a suitable LDAP client would seem like the best
solution, then?

James.