trying to correctly handle account passwords via ldap
aland at ox.org
Tue Mar 28 17:13:23 GMT 2006
Luke Howard <lukeh at padl.com> wrote:
> As far as the NT security model is concerned, using the Net Logon
> secure channel (as ntlm_auth does) is the correct way to do pass-
> through authentication.
Can Samba expose an API to just that, rather than forking a program
to contact a program to contact a program that contacts the domain
> A PEAP/CHAP/etc server shouldn't need to have a copy of every
> user's secret just to authentication them -- that extends the trust
> boundary considerably, because it can then impersonate any user in
> the domain.
Even when using ntlm_auth, the non-AD authenticator MUST have access
to the NT-hash-hash in order to calculate the MS-CHAP response. This
is because the AD server doesn't do the full MS-CHAPVv2 calculations
for you. Again, because of "security". The result is that (in my
case) the RADIUS server could cache the nt-hash-hash, and impersonate
So we might as well give up on nonsensical security, pass the
nt-hash directly to the RADIUS server, and avoid layers of obfuscation
that add nothing to efficiency, scalability, stability, or security.
More information about the samba-technical