What is PCNS?
Christopher R. Hertel
crh at ubiqx.mn.org
Tue Apr 5 21:04:57 GMT 2005
On Tue, Apr 05, 2005 at 01:33:18PM -0700, Richard Sharpe wrote:
> On Tue, 5 Apr 2005, Christopher R. Hertel wrote:
> > Sat through a presentation on MIIS today. MIIS is supposed to be a
> > "metadirectory" that allows you to keep multiple directories (AD, NDS,
> > etc.) in sync.
> > I asked about password sync, and was told that there's something called
> > PCNS that can "capture" the plaintext password when the user changes their
> > password on a Windows client, and then use that plaintext password to
> > create whatever hashes are needed.
> > Thing is, PCNS (according to the MS SE) runs on the domain controller,
> > and is accessed via secure RPC. That'd mean that the client is actually
> > sending the (encrypted) plaintext password over the wire to the DC.
> > What has me confused is that it was my understanding that Windows clients,
> > when performing a password change, only sent the (encrypted) hashes. Has
> > this changed or is there something new in PCNS?
> I thought that the new password was encrypted with the old hash on a
> change password request ...
> I guess that that is to prevent someone injecting a password change
> request into an active stream or something.
...but is it the new password or the new hash (or set of hashes, since
you'd have LM and NTLM hashes and possibly whatever Kerberos uses).
At the core of the question is whether or not it's possible to get hold of
the plaintext password if you are the DC. If so, then you could also
update the Unix password and whatever else needed updating.
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical