trying to correctly handle account passwords via ldap

Luke Howard lukeh at
Wed Mar 29 21:44:33 GMT 2006

>  RADIUS servers, on the other hand, have everything to gain by having
>access to the NT-HASH or clear-text passwords.  It means that multiple
>authentication protocols become possible, which is what customers are
>asking for.  Right now, for RADIUS to AD interaction, MS-CHAP is the
>only option.  This is a problem for many customers.

It's possible to do DIGEST-MD5 pass-through authentication to AD.

>  Samba is the *only* path where this may be possible.  Allowing the
>administrator to export clear-text passwords from Samba to an external
>authentication server means that the customer gets what they want.

Well, you can't just export clear-text passwords unless they have been
stored, which is not the default. But you can certainly get the NTLM
and Digest OWFs using the native replication protocol.

>   And, it means that Samba doesn't have to implement CHAP, EAP, or
>Digest authentication.

Well, it will have to implement Digest pass-through authentication if
it is to support Windows member servers that wish to do such pass-
through authentication.

-- Luke


More information about the samba-technical mailing list