What is PCNS?

Andrew Bartlett abartlet at samba.org
Tue Apr 5 22:35:59 GMT 2005


On Tue, 2005-04-05 at 16:42 -0500, Christopher R. Hertel wrote:
> On Tue, Apr 05, 2005 at 04:20:53PM -0500, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Christopher R. Hertel wrote:
> > 
> > | At the core of the question is whether or not it's possible
> > | to get hold of the plaintext password if you are the DC.
> > | If so, then you could also update the Unix password
> > | and whatever else needed updating.
> > 
> > how do you think we support 'unix password sync' ?
> 
> Wasn't sure, which is why I asked.
> 
> > The client sends the cleartext of the new password
> > encrypted with the has of the old password like Richard
> > mentioned in a previous mail.
> 
> Is this true for Win9x-vintage clients or is it only true if they're 
> RPC-capable?

It is true for almost all clients, except those which make a LM hash
only password change.

See the Samba4 IDL for the variations on the theme at the SAMR layer,
but in practice, we have not had any issues with being able to get
plaintext passwords, except for *machine* password changes in Samba3,
where we don't know how to handle ServerPasswordSet2.  (4 recently got
the IDL and implementation for this call, but I don't know what clients
use it).

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050406/f3498378/attachment.bin


More information about the samba-technical mailing list