svn commit: lorikeet r43 - in trunk/heimdal/lib: hdb kadm5
abartlet at samba.org
Mon Sep 6 11:56:49 GMT 2004
On Mon, 2004-09-06 at 21:49, Love wrote:
> Andrew Bartlett <abartlet at samba.org> writes:
> > On Mon, 2004-09-06 at 18:53, Luke Howard wrote:
> >> >Because of the need to preserve the unicodePwd as cleartext, we are also
> >> >going to need to pass the cleartext password down to HDB, and then some
> >> >of these functions will then become private to hdb (I think).
> >> Why do you need to preserve the unicodePwd as cleartext? Seems like
> >> something you want to avoid if possible.
> > Well, that is to support the flag 'store password with reversible
> > encryption'. We all know that means cleartext :-). I think it's used
> > for HTTP-Digest/Digest-MD5.
> > In any case, I suspect I'll be lynched if I make the generic Kerberos
> > code calculate the LM hash ;-)
> It already does that. arcfour-hmac-md5 is NTLM hash as far as I understand
> it, that how you could upgrade from a windows NT4 to a W2K wo having all
> your users change their passwords.
Yes, that's for the NT hash. The LM hash is a much weaker, uppercased,
DES based hash, and is only used for CIFS networking, not for kerberos.
In the 'samba intergration' patches I did I just ignored the LM hash,
and set it to null if somebody is so unfortunate as to change their
password via Kerberos.
> Heimdal doesn't support unicode and that
> might be a problem for you.
Well, it's a problem for the string2key code, but I was going to simply
make wild assumptions about utf8 input.
> Luke solved the problem with digest-http/digest-md5 by having the kdc also
> store those hashes. I've yet to add that patch since I don't have any
> consumers of the code yet.
That would be interesting to see.
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040906/ec4d0251/attachment.bin
More information about the samba-technical