[Samba] Does winbindd/pam transmit cleartext authneticating against an NT PDC

Gerald (Jerry) Carter jerry at samba.org
Tue Jan 27 19:31:21 GMT 2004

Hash: SHA1

Karl DeBisschop wrote:

| But then I would infer that local passwords would be the
| same -- the password is handed to the pam module
| as cleartext, right?

For authentication, the application hands the password
to the PAM layer in cleartext.  How the pam module performs
the authentication using that password is arbitrary.

For example, if you have sshd configured to use
pam_winbindd, the the client will send the tunneled
clear text password to sshd which will hand it off
to pam_winbindd.

pam_winbindd will then send a request to winbindd over
a unix domain socket.

And winbindd will issue a net_samlogon() request to
authenticate the user just like a windows client would.

| They are saying there is a cleartext step in pam_winbind
| that does not exist when using local passwords. They are also
| saying that windows servers are secure when autthenticaing
| against the PDC, but linux servers are not.

Wrong on both counts.

All pam modules that use password based authentication
(that I am aware of) require the clear text password as
input.  Something like pam_unix would then hash the
password and compare it to whatever is in the user's
entry in /etc/passwd.  The end result is the same.

cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "If we're adding to the noise, turn off this song" --Switchfoot (2003)
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list