trying to correctly handle account passwords via ldap

Henrik Nordstrom henrik at
Wed Mar 29 09:33:55 GMT 2006

tis 2006-03-28 klockan 12:13 -0500 skrev Alan DeKok:

>   Even when using ntlm_auth, the non-AD authenticator MUST have access
> to the NT-hash-hash in order to calculate the MS-CHAP response.

Correct, and the NT-hash-hash is returned by AD, but not the NT-hash.

> So we might as well give up on nonsensical security, pass the
> nt-hash directly to the RADIUS server, and avoid layers of obfuscation
> that add nothing to efficiency, scalability, stability, or security.

The difference is that the NT-hash-hash is only given to the RADIUS
server for the users who have already successfully authenticated, and
only in the hash-hash form which isn't directly useful for
authentication, only MSCHAPv2 verification that the server actually knew
the password. A MSCHAPv2 server onl knowing the hash-hash can
impersonate as a authoritative server by faking a success response, but
it can not actually determine if the supplied NT-response is valid or

You may remember that we had a similar discussion within the RADEXT IETF
working-group some time ago regarding the use of MD5-sess within RADIUS,
and I accept their general consensus that credentials useful for
authentication should not leave the authentication server. This
discussions actually is no different. AD (and Samba's AD impersonation)
is an authentication server, and the credentials needed for
authentication is private to the authentication server and should not
leave the authentication server except in extraordinary conditions with
careful thought on the implications of doing so.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad
Url :

More information about the samba-technical mailing list