No subject

[Donald Gaffney]

> Date: Thu, 4 Dec 1997 07:03:49 -0800 
> From: "Jorge Silva (Jorge Gomes da Silva)" <jorgesil at microsoft.com>
> To: "'samba at samba.anu.edu.au'" <samba at samba.anu.edu.au>
> Subject: /etc/passwd - Domain Controller Synchronization
> Message-ID: <A1A4DA3CD56ECF11973200805F685F1680F51B at LIS-01-MSG>
> 
> Hello,
> 
> I don't know much about Samba so forgive me if this is a stupid question.
> 
> I'm currently working on a project for a client that relies on Unix machines
> for their main applications. Access to Unix applications is done through
> terminal emulation (vt 100) on Windows PCs.
> 
> We are implementing a Windows NT network for file an print sharing and to
> support SMS. One of the goals of the project is to achieve an authentication
> scheme where username and password are exactly the same on Unix and NT. In
> this kind of solution if the user changes it's password in NT it will also
> change in Unix (/etc/passwd). We would like to know if this kind of
> synchcronization is possible with Samba (we only need to reflect changes
> made on NT to Unix, we don't need it to work from Unix to NT). 
> 
> If you think you can help me please email me your answers directly as I'm
> not a member of this mailing list.
> 
> Thanks in advance.
> 
> Jorge.
> (Microsoft - Portugal)
> 

There is a solution to *this* problem, that is the problem of
password syncronization. If you wish to redefine the problem to one
of authentication databases in general, then the solutions posed by
Luke or Brendon should be considered (both of them suggest using NT's 
own SAM database as queried via SMB in place of authentication native
to UNIX). As even your organization considers Kerberos to be a good 
solution it should be given considerable thought; especially in light
of the Kerbnet source being made available Cygnus Solutions
(http://www.cygnus.com/product/kerbnet-index.html) although ITAR 
restrictions may preclude its use in Portugal.

The thing to keep in mind in password syncronization is that UNIX passwords
and NT (not LanMan) passwords cannot be decrypted from their respective
one-way hash ciphertexts. That is, you *cannot* convert through some function
F:

NT MD4 Hash = F(UNIX salted modified DES one-way hash); Not possible! 

or

UNIX salted modified DES one-way hash = F(NT MD4 Hash); Not possible!

[NOTE: You could probably brute-force the weaker LanMan passwords stored in
the SAM back to plaintext although this would be quite compute intensive.]

What this means is that all users will need to change their passwords
at implementation time (you will issue new passwords to all users) in
order to sample their plain text passwords.

Once that occurs then you need some way of maintaining consistent
password databases across UNIX realms (or workstations) and NT domains (or 
workstations). Note the notion of realms and domains here suggests that
there is already some mechanism for common machines to access their 
authentication database. You are familiar with NT Domains, on UNIX this 
mechanism is typically provided by NIS, Kerberos, or I suppose DCE.

How you make sure that the databases are consistent across the two systems
is a problem. It is a HUGE problem if you cannot even leverage the 
domain/realm on each side; that is if you have to go workstation to 
workstation and update local databases.

Given that realms/domains are available it is somewhat easier. On the PDC and
some realm machine you need a service and a daemon respectively. On the 
clients you need to change the passwd program for UNIX and the GINA.DLL 
for NT. The client programs have access to the plaintext. They open a  
secure channel to the daemon or service and pass the username and 
plaintext passwords (possibly both old and new). The daemon and service use 
their local system calls to modify their authentication databases. Naturally, 
you'll want to make sure that the plaintext is suitable given local 
constraints (UNIX passwords are typically only 8 chars) and business rules. 
You'll also want some fault tolerance built in just in case the realm or 
domain is not availble when the password update request is made.

Implementation is left as an exercise for the reader.  ;-)

Seriously though, use of NIS GINA or KerbNet is far easier. You could also
try the modified UNIX apps, which consult the NT PDC directly, or 
implement a PDC server DLL (I recall seeing this on the MSDN CD) which 
would consult a UNIX passwd file or authentication daemon (and also 
presumably update it on password changes). Jeremy Allison also wrote some
code (pwdchange.c SAMBA Digest 1125) a while back that trapped password 
changes on NT 4.0 and dumped them to a text file. You might be able to 
easily modify this code to send the plaintext or ciphertext on to a UNIX 
daemon which would update /etc/passwd. 

Good luck, and please let the SAMBA list know how you solve the problem,

-Don