svn commit: lorikeet r43 - in trunk/heimdal/lib: hdb kadm5
lha at stacken.kth.se
Mon Sep 6 11:49:32 GMT 2004
Andrew Bartlett <abartlet at samba.org> writes:
> On Mon, 2004-09-06 at 18:53, Luke Howard wrote:
>> >Because of the need to preserve the unicodePwd as cleartext, we are also
>> >going to need to pass the cleartext password down to HDB, and then some
>> >of these functions will then become private to hdb (I think).
>> Why do you need to preserve the unicodePwd as cleartext? Seems like
>> something you want to avoid if possible.
> Well, that is to support the flag 'store password with reversible
> encryption'. We all know that means cleartext :-). I think it's used
> for HTTP-Digest/Digest-MD5.
> In any case, I suspect I'll be lynched if I make the generic Kerberos
> code calculate the LM hash ;-)
It already does that. arcfour-hmac-md5 is NTLM hash as far as I understand
it, that how you could upgrade from a windows NT4 to a W2K wo having all
your users change their passwords. Heimdal doesn't support unicode and that
might be a problem for you.
Luke solved the problem with digest-http/digest-md5 by having the kdc also
store those hashes. I've yet to add that patch since I don't have any
consumers of the code yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 823 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20040906/8b353fc2/attachment.bin
More information about the samba-technical