trying to correctly handle account passwords via ldap
lukeh at padl.com
Tue Mar 28 22:47:55 GMT 2006
>> As far as the NT security model is concerned, using the Net Logon
>> secure channel (as ntlm_auth does) is the correct way to do pass-
>> through authentication.
> Can Samba expose an API to just that, rather than forking a program
>to contact a program to contact a program that contacts the domain
You might be able to use the winbindd API for this. Not my balliwick
I'm afraid. But it's obviously possible in theory -- we have such a
client API in one of our products.
> Even when using ntlm_auth, the non-AD authenticator MUST have access
>to the NT-hash-hash in order to calculate the MS-CHAP response. This
>is because the AD server doesn't do the full MS-CHAPVv2 calculations
>for you. Again, because of "security". The result is that (in my
>case) the RADIUS server could cache the nt-hash-hash, and impersonate
The NT-hash-hash is the NTLMv1 session key. This is returned in the
response to the NetrLogonSamLogon RPC. Note that a different algorithm
is used for NTLMv2. In neither case does the server performing the
pass-through authentication need the original NT OWF.
More information about the samba-technical