trying to correctly handle account passwords via ldap

[Alan DeKok]

Luke Howard <lukeh at padl.com> wrote:
> As far as the NT security model is concerned, using the Net Logon
> secure channel (as ntlm_auth does) is the correct way to do pass-
> through authentication.

  Can Samba expose an API to just that, rather than forking a program
to contact a program to contact a program that contacts the domain
controller?

> A PEAP/CHAP/etc server shouldn't need to have a copy of every
> user's secret just to authentication them -- that extends the trust
> boundary considerably, because it can then impersonate any user in
> the domain.

  Even when using ntlm_auth, the non-AD authenticator MUST have access
to the NT-hash-hash in order to calculate the MS-CHAP response.  This
is because the AD server doesn't do the full MS-CHAPVv2 calculations
for you.  Again, because of "security".  The result is that (in my
case) the RADIUS server could cache the nt-hash-hash, and impersonate
anyone.

  So we might as well give up on nonsensical security, pass the
nt-hash directly to the RADIUS server, and avoid layers of obfuscation
that add nothing to efficiency, scalability, stability, or security.

  Alan DeKok.