trying to correctly handle account passwords via ldap
abartlet at samba.org
Tue Mar 28 22:45:07 GMT 2006
On Tue, 2006-03-28 at 12:13 -0500, Alan DeKok wrote:
> Luke Howard <lukeh at padl.com> wrote:
> > As far as the NT security model is concerned, using the Net Logon
> > secure channel (as ntlm_auth does) is the correct way to do pass-
> > through authentication.
> Can Samba expose an API to just that, rather than forking a program
> to contact a program to contact a program that contacts the domain
The --helper-protocol=ntlm-server-1 was designed to avoid the need to
keep forking, and run a long-term conversation. Unfortunately i think
it has some memory leaks, but these could be addressed, if there is a
The use of winbindd ensures that there is no wasted network traffic as
multiple authentications occur. The network setup cost for NETLOGON is
far higher than the cost of a fork().
Which cost are you trying to reduce?
> > A PEAP/CHAP/etc server shouldn't need to have a copy of every
> > user's secret just to authentication them -- that extends the trust
> > boundary considerably, because it can then impersonate any user in
> > the domain.
> Even when using ntlm_auth, the non-AD authenticator MUST have access
> to the NT-hash-hash in order to calculate the MS-CHAP response. This
> is because the AD server doesn't do the full MS-CHAPVv2 calculations
> for you. Again, because of "security". The result is that (in my
> case) the RADIUS server could cache the nt-hash-hash, and impersonate
Someone possessing this could intercept and read and modify traffic, but
they can't start a new login on another server.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060329/3f01defa/attachment.bin
More information about the samba-technical