Storing only a salted, hashed password for offline creds

Sun Aug 20 13:09:37 GMT 2006

Hi

sorry for inserting an issue to this thread, which may just be related.

If I understand the context off this thread correctly,
it deals with local logon into unix workstations which
authenticate against an Active Directory

Is there a chance in the future that a samba AD-member server can
cache credentials too, in order to give windows clients access to shares 
on the server
even if the Active-Directory DC are not available.

I asked this some weeks ago on samba-users and was told, that this
is not possible at the moment.

Thank you and greetings from munich

Hansjoerg

Andrew Bartlett wrote:

>On Sat, 2006-08-19 at 14:51 -0700, Jeremy Allison wrote:
>  
>
>>On Sun, Aug 20, 2006 at 07:46:47AM +1000, Andrew Bartlett wrote:
>>    
>>
>>>That's correct, and an entrypoint I support in the Samba4
>>>NTLMSSP/credentials code.
>>>      
>>>
>>Likewise in Samba3 now :-).
>>
>>    
>>
>>>Also, for plaintext:  do you store the plaintext or a hash for the
>>>offline credentials?  You should store a salted hash.
>>>      
>>>
>>Can't be done that way when using MIT krb5, without
>>modification of the internal krb5 libs. So we have to
>>store plaintext for this case.
>>    
>>
>
>I should have been more clear.  For the *offline* credentials cache
>(where we want a user to log in to a disconnected laptop) we
>could/should store only a salted hash, much like would be used
>in /etc/shadow, as the user must present cleartext to login (which we
>can then use for the puroposes of this patch and krb5 refresh).
>
>This should prevent an attack in the 'stolen laptop' scenario.
>
>We could use the hash format we use for the LDAP password history, or
>perhaps a *variation* on the format used for AES krb5 (but it must be a
>variation, to avoid it being a plaintext-equivalent).
>
>Andrew Bartlett
>
>  
>