[Samba] Does winbindd/pam transmit cleartext
authneticating against an NT PDC
Karl DeBisschop
kdebisschop at alert.infoplease.com
Tue Jan 27 19:15:26 GMT 2004
On Tue, 2004-01-27 at 13:54, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeremy Allison wrote:
> | On Tue, Jan 27, 2004 at 12:44:34PM -0500, Karl DeBisschop wrote:
> |
> |>I'm being told that when winbindd is used to connect a Linux client to
> |>an NT PDC, that encrypted passwords cannot be used in transport. In
> |>other words that passwords are sent over the wire in clear text.
> |>
> |>I find this surprising. Nor can i find documentation of this assertion
> |>anywhere. Can anyone definitively say this is true or false?
> |
> |
> | Definitively this is false. winbindd uses the same methods as
> | a Windows member server to enumerate accounts. No cleartext.
>
> But perhaps the original question was about getting the
> password to pam_winbind in the first place? The UNIX
> application hands the clear text of the password to
> pam_winbind which talks to winbindd over a unix domain
> socket. Then winbindd does talk to the DC just like Jeremy
> says.
But then I would infer that local passwords would be the same -- the
password is handed to the pam module as cleartext, right?
They are saying there is a cleartext step in pam_winbind that does not
exist when using local passwords. They are also saying that windows
servers are secure when autthenticaing against the PDC, but linux
servers are not.
> Maybe your original source of information is talking about
> PAM in general? Or has the facts mixed up wrt to winbindd.
No, they are clearly not talking about pam in general - that want to use
local md5 passwords via the pam stack.
But they could certainly be mixed up.
--
Karl DeBisschop <kdebisschop at alert.infoplease.com>
Pearson Education/Information Please
More information about the samba
mailing list