[Samba] Does winbindd/pam transmit cleartext authneticating against an NT PDC

Karl DeBisschop kdebisschop at alert.infoplease.com
Tue Jan 27 19:15:26 GMT 2004

On Tue, 2004-01-27 at 13:54, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Jeremy Allison wrote:
> | On Tue, Jan 27, 2004 at 12:44:34PM -0500, Karl DeBisschop wrote:
> |
> |>I'm being told that when winbindd is used to connect a Linux client to
> |>an NT PDC, that encrypted passwords cannot be used in transport. In
> |>other words that passwords are sent over the wire in clear text.
> |>
> |>I find this surprising. Nor can i find documentation of this assertion
> |>anywhere.  Can anyone definitively say this is true or false?
> |
> |
> | Definitively this is false. winbindd uses the same methods as
> | a Windows member server to enumerate accounts. No cleartext.
> But perhaps the original question was about getting the
> password to pam_winbind in the first place?  The UNIX
> application hands the clear text of the password to
> pam_winbind which talks to winbindd over a unix domain
> socket.  Then winbindd does talk to the DC just like Jeremy
> says.

But then I would infer that local passwords would be the same -- the
password is handed to the pam module as cleartext, right? 

They are saying there is a cleartext step in pam_winbind that does not
exist when using local passwords. They are also saying that windows
servers are secure when autthenticaing against the PDC, but linux
servers are not.

> Maybe your original source of information is talking about
> PAM in general?  Or has the facts mixed up wrt to winbindd.

No, they are clearly not talking about pam in general - that want to use
local md5 passwords via the pam stack.

But they could certainly be mixed up.

Karl DeBisschop <kdebisschop at alert.infoplease.com>
Pearson Education/Information Please

More information about the samba mailing list