OT: change NT login procedure

Andrew Bartlett abartlet at pcug.org.au
Wed Jan 31 12:47:14 GMT 2001

Toomas Soome wrote:
> Osama Abu-Aish wrote:
> >
> > Hi out there,
> >
> > this is somehow OT, but I thought to find the most competent
> > people my idea here:
> >
> > Background:
> >
> > Since NT-UNIX password / account synchronization is a never
> > ending story with many traps I had an idea and wonder if anybody
> > has tried this before and could probably help me by sharing
> > his/her knowledge.
> > Since NT and UNIX use different security models, it is impossible
> > to integrate both into one central security database. Samba is
> > to a certain degree able to provide authentication to NT, but
> > it can't resolve the problem of having two password databases.
> >
> > Idea:
> >
> > All current implementations try to adapt the UNIX-side to match
> > the requirements given by NT. Now I wonder if it shouldn't be
> > possible to change the NT-side. What I'm dreaming of is all
> > our NT WKS authenticating against a LDAP-Server.
> > This _must_ somehow be possible since novell manages it
> > with their NDS directory.
> > What I understand from MS documentation is that custom
> > authentication is supported and that two dll's must be created:
> > a graphical user interface (GINA) and a authentication package.
> >
> > Questions:
> > 1.) Does this make sense at all or is it only YASI (Yet another
> >      stupid idea :-)?
> > 2.) Has anybody tried something like this and could provide me
> >      with any information?
> > 3.) Would someone be interested in following this track?
> >
> I have implemented 1-way just now, but 2 way sync is planned and is
> waiting implementation.
> we have currently blocked passwd change from windows and all passwords
> are changed from unix (Solaris). I have written PAM module for this
> task, stacked below pam_unix. pam_unix will take care of unix passwords
> and pam_smb will write password into smbpasswd NIS+ table. this is unix
> -> windows direction. this works well in our case.

This works for me as well, (I use pam_smbpasswd).

> windows-> unix is a problem, because we do not get cleartext old
> password from windows client (am I wrong?). 

Why do we need the plaintext?  We run as root, we can do what we want.

> if so, we must save
> plaintext passwords into the safe place (crypted with some internal
> key). it is generally bad idea to have plaintext passwords around, but
> in university environment it is not totally unacceptable. I mean, such
> database must be protected with some sort of encryption and if someone
> wants passwords, well it is possible to use sniffers from pc classes,
> one can do dictionary attack against password hashes etc.
> so, if safe sorage for old (or current) passwords is implemented, next
> task is to rewrite current samba interface for password change to use
> standard pam interface (with old password from internal storage and new
> password from client) and it's done. nice and clean.

Using pam is the way to do it, I have been considering what would be
required to get samba to use samba rather that 'passwd'.  I don't think
pam actualy needs the old password.  As far as I can tell, all you would
need is some twidiling of real and effective uids during the process to
make pam think you are root (no old password) but also a normal user
(pam_cracklib and friends).

> of course, there are but's. how to handle username maps, what happens if
> we are going to have domain trust or kerberos environment etc...
> toomas
> --
>         A creature that can leap to tremendous heights... once.

Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list