[Samba] LDAP and the Password attrtibute in SAMBA

[Paul Gienger]

> would make it easier if SAMBA could use say teh userpassword attribute

This comes up every month or so, and the answer is always no.  Here's my 
understanding of how it works, somebody correct me if I'm wrong (or 
affirm if right for once ;) )

Windows encrypts the password on the client side and sends the password 
hash over the wire encrypted.  Once it gets to the server, the server 
simply compars the hashes and gives the virtual thumbs up/down on it. 

The crux of the problem is that neither password hash is reversable, 
UNIX or Windows, which is why the hash is worth the bits it's stored 
in... if they were reversable security would be a sham at best.   You 
should be able to follow through at this point that comparing two hashes 
of different types is pointless since you can't derive the original 
value, and the hashes are obviously going to be different.

So basically, unless you can configure windows to send the same hash as 
your UNIX system uses or get your system to use the NT string, you're 
pretty much borked.  Of course this would also require samba to check 
the sent hash against /etc/passwd|shadow, but that would probably be 
trivial compared to reconfiguring windows or rewriting pam to read an NT 
hash.

Make sense?  It's late on friday and I'm burned out, so question away if 
it doesn't.

-- 
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com