What is PCNS?
rsharpe at richardsharpe.com
Tue Apr 5 20:33:18 GMT 2005
On Tue, 5 Apr 2005, Christopher R. Hertel wrote:
> Sat through a presentation on MIIS today. MIIS is supposed to be a
> "metadirectory" that allows you to keep multiple directories (AD, NDS,
> etc.) in sync.
> I asked about password sync, and was told that there's something called
> PCNS that can "capture" the plaintext password when the user changes their
> password on a Windows client, and then use that plaintext password to
> create whatever hashes are needed.
> Thing is, PCNS (according to the MS SE) runs on the domain controller,
> and is accessed via secure RPC. That'd mean that the client is actually
> sending the (encrypted) plaintext password over the wire to the DC.
> What has me confused is that it was my understanding that Windows clients,
> when performing a password change, only sent the (encrypted) hashes. Has
> this changed or is there something new in PCNS?
I thought that the new password was encrypted with the old hash on a
change password request ...
I guess that that is to prevent someone injecting a password change
request into an active stream or something.
Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org,
More information about the samba-technical