trying to correctly handle account passwords via ldap

Andrew Bartlett abartlet at samba.org
Tue Mar 28 22:45:07 GMT 2006


On Tue, 2006-03-28 at 12:13 -0500, Alan DeKok wrote:
> Luke Howard <lukeh at padl.com> wrote:
> > As far as the NT security model is concerned, using the Net Logon
> > secure channel (as ntlm_auth does) is the correct way to do pass-
> > through authentication.
> 
>   Can Samba expose an API to just that, rather than forking a program
> to contact a program to contact a program that contacts the domain
> controller?

The --helper-protocol=ntlm-server-1 was designed to avoid the need to
keep forking, and run a long-term conversation.  Unfortunately i think
it has some memory leaks, but these could be addressed, if there is a
suitable user.

The use of winbindd ensures that there is no wasted network traffic as
multiple authentications occur.  The network setup cost for NETLOGON is
far higher than the cost of a fork().

Which cost are you trying to reduce?

> > A PEAP/CHAP/etc server shouldn't need to have a copy of every
> > user's secret just to authentication them -- that extends the trust
> > boundary considerably, because it can then impersonate any user in
> > the domain.
> 
>   Even when using ntlm_auth, the non-AD authenticator MUST have access
> to the NT-hash-hash in order to calculate the MS-CHAP response.  This
> is because the AD server doesn't do the full MS-CHAPVv2 calculations
> for you.  Again, because of "security".  The result is that (in my
> case) the RADIUS server could cache the nt-hash-hash, and impersonate
> anyone.

Someone possessing this could intercept and read and modify traffic, but
they can't start a new login on another server.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060329/3f01defa/attachment.bin


More information about the samba-technical mailing list