trying to correctly handle account passwords via ldap
Luke Howard
lukeh at padl.com
Wed Mar 29 21:44:33 GMT 2006
> RADIUS servers, on the other hand, have everything to gain by having
>access to the NT-HASH or clear-text passwords. It means that multiple
>authentication protocols become possible, which is what customers are
>asking for. Right now, for RADIUS to AD interaction, MS-CHAP is the
>only option. This is a problem for many customers.
It's possible to do DIGEST-MD5 pass-through authentication to AD.
> Samba is the *only* path where this may be possible. Allowing the
>administrator to export clear-text passwords from Samba to an external
>authentication server means that the customer gets what they want.
Well, you can't just export clear-text passwords unless they have been
stored, which is not the default. But you can certainly get the NTLM
and Digest OWFs using the native replication protocol.
> And, it means that Samba doesn't have to implement CHAP, EAP, or
>Digest authentication.
Well, it will have to implement Digest pass-through authentication if
it is to support Windows member servers that wish to do such pass-
through authentication.
-- Luke
--
More information about the samba-technical
mailing list