[Samba] passwords - windows - clear or hashed over wire?
Terry Davis
tdavis at birddog.com
Tue Feb 5 00:37:17 GMT 2002
Andrew Bartlett wrote:
> Terry Davis wrote:
>
>>Hello,
>>
>>I am testing some things and coming up with weird results.
>>Here is the scoop:
>>
>>I have samba set to:
>>unix password sync = yes
>>pam password change = yes
>>
>>I am trying to test what is going on when I change a user's password
>>from a windows box using the windows password utility. Here is what
>>happens.
>>
>>If I have /etc/pam.d/samba set to:
>>auth required pam_nologin.so
>>auth required pam_stack.so service=system-auth
>>account required pam_stack.so service=system-auth
>>session required pam_stack.so service=system-auth
>>password required pam_stack.so service=system-auth
>>
>>samba changes the smbpasswd file to update the changes I made in windows
>>to the password. It stores the passwords hashed as expected.
>>
>>If I set /etc/pam.d/samba to:
>>auth required pam_ldap.so
>>account required pam_ldap.so
>>session required pam_ldap.so
>>password required pam_ldap.so
>>
>>then samba changes the password in the ldap server. This is great!!
>>One problem, it changes the password in ldap to be clear! How does it
>>do this? I didn't think windows sent the password accross the wire in
>>the clear.
>>
>
> Windows sends the *new* password in the clear, so it can be
> strength-checked etc.
>
> The LDAP stuff is entirly within pam_ldap.so, and I would suggest you
> see if the /etc/ldap.conf file allows you to configure its behaviour. (I
> think it does).
>
> Andrew Bartlett
>
>
Hrm, I didnt see anything in the clear. Would this be done over tcp
port 139?
Thank you for your help. It is greatly appreciated!
--
Terry Davis
Systems Administrator
BirdDog Solutions, Inc.
(402) 829-6059
More information about the samba
mailing list