Password Synchronization NT -> UNIX

[Bjart Kvarme]

At 04:25 24.12.97 +1100, Jeremy Allison wrote:
>BERG Dietmar/BIS-C wrote:
>> 
>> Hi everyone,
>> 
>> I have a question regarding password synchronization: Has anyone already
>> written code to use the "Password filter" hook on NT to capture and
>> synchronize
>> passwords from NT to a UNIX-Server? It should not be too difficult, but
>> I want
>> to avoid re-inventing the wheel.
>> 
>> TIA, Dietmar Berg
>
>Dietmar,
>
>	Yes - I wrote such code as part of Cygnus's Kerberos-on-NT
>product (KerbNet) - it's available as full source code
>from cygnus (check out www.cygnus.com). It's not currently
>exportable from the US though due to the insanity of the
>US government :-(.

Is it possible to make the code available without the kerberos stuff? The
(for me) useful part should be exportable.

Today we have 29.000 unix users in one NIS domain, and all UNIX users also
get a NT account in our NT domain.

A couple of years ago we made a meta user database called UREG2000, which
is tailored for the Universtity. We used this to generate NIS users,
assign/change passwords, assign/change home directories etc.. Users find it
hard to relate to more than one password, so we was looking for a way of
syncronizing our NIS users with a NT domain. When pwdump was posted (thanks
Jeremy!), I reversed it into a pwload version which takes an username and
the password hashes and writes it directly into the registry. We then
rewrote UREG2000 to hold NT spesific information like NT homedir, NT
password hash etc... and created a new export format from UREG2000 -> NT.
We then do a diff on the domain controller and UREG2000 once a day, and
updates the NT domain controller with any records which is out of sync with
the UREG2000 base. To make sure users changes passwords against UREG2000
instead of the NT domain, no NT accounts is allowed to change passwords.
This is done with a winsock program which talks directly to UREG2000.

Today new users are added to the NT domain automaticly when we creates new
NIS accounts or users changes passwords. We now have over 22.000 NT users.
I created the first 20 NT acccouns manually, but the rest is all created
(and maintained) by our own meta database. This has saved us a lot of work.

We have been thinking on improvements, and one could be a "password filter"
which passes the new password to UREG2000 for validation (we run crack and
a couple of other checks on each new password). The drawback here is the
errormessage the users gets when the password filter is denying a
passwordchange. It's based on the rules in MS own passfilt.dll and I've not
found a good way of changing it. It will confuse our users.

A second improvement would be a little deamon/service which would be
running on the PDC making it possible to change passwords by talking to a
TCP port.

- Bjart