trying to correctly handle account passwords via ldap

[Luke Howard]

Hi Alan,

>> As far as the NT security model is concerned, using the Net Logon
>> secure channel (as ntlm_auth does) is the correct way to do pass-
>> through authentication.
>
>  Can Samba expose an API to just that, rather than forking a program
>to contact a program to contact a program that contacts the domain
>controller?

You might be able to use the winbindd API for this. Not my balliwick
I'm afraid. But it's obviously possible in theory -- we have such a
client API in one of our products.

>  Even when using ntlm_auth, the non-AD authenticator MUST have access
>to the NT-hash-hash in order to calculate the MS-CHAP response.  This
>is because the AD server doesn't do the full MS-CHAPVv2 calculations
>for you.  Again, because of "security".  The result is that (in my
>case) the RADIUS server could cache the nt-hash-hash, and impersonate
>anyone.

The NT-hash-hash is the NTLMv1 session key. This is returned in the
response to the NetrLogonSamLogon RPC. Note that a different algorithm
is used for NTLMv2. In neither case does the server performing the
pass-through authentication need the original NT OWF.

-- Luke

--