trying to correctly handle account passwords via ldap

Luke Howard lukeh at
Tue Mar 28 07:28:12 GMT 2006

>  I run into this nearly every day with wireless authentication
>deployments.  The Windows laptops use PEAP (TLS + MS-CHAPv2), and AD
>doesn't expose the clear-text passwords.  As a result, there are
>various ways to work around the issue (e.g. ntlm_auth), none of which
>are efficient or scalable.  If the NT hash infomration was available
>through normal LDAP queries, then the systems would be much more
>scalable, stable, and efficient.

As far as the NT security model is concerned, using the Net Logon
secure channel (as ntlm_auth does) is the correct way to do pass-
through authentication.

A PEAP/CHAP/etc server shouldn't need to have a copy of every
user's secret just to authentication them -- that extends the trust
boundary considerably, because it can then impersonate any user in
the domain.

(I appreciate that in the "real world" there might be reasons where
you don't care about this, e.g. efficiency.)

-- Luke


More information about the samba-technical mailing list