What is PCNS?

Richard Sharpe rsharpe at richardsharpe.com
Tue Apr 5 20:33:18 GMT 2005


On Tue, 5 Apr 2005, Christopher R. Hertel wrote:

> Sat through a presentation on MIIS today.  MIIS is supposed to be a
> "metadirectory" that allows you to keep multiple directories (AD, NDS,
> etc.) in sync.
>
> I asked about password sync, and was told that there's something called
> PCNS that can "capture" the plaintext password when the user changes their
> password on a Windows client, and then use that plaintext password to
> create whatever hashes are needed.
>
> Thing is, PCNS (according to the MS SE) runs on the domain controller,
> and is accessed via secure RPC.  That'd mean that the client is actually
> sending the (encrypted) plaintext password over the wire to the DC.
>
> What has me confused is that it was my understanding that Windows clients,
> when performing a password change, only sent the (encrypted) hashes.  Has
> this changed or is there something new in PCNS?

I thought that the new password was encrypted with the old hash on a
change password request ...

I guess that that is to prevent someone injecting a password change
request into an active stream or something.

Regards
-----
Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com


More information about the samba-technical mailing list