[Samba] LDAP and the Password attrtibute in SAMBA

Gerald (Jerry) Carter jerry at samba.org
Sun Apr 10 00:56:33 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Gienger wrote:
|
| Windows encrypts the password on the client side and
| sends the password hash over the wire encrypted.  Once it
| gets to the server, the server simply compars the hashes
| and gives the virtual thumbs up/down on it.

Not quite.  The authentication is a challenge/response
mechanism with the actual password hash never going over the
wire.  Only values derived by using the pw hash.

| The crux of the problem is that neither password
| hash is reversable, UNIX or Windows, which is why
| the hash is worth the bits it's stored in... if they
| were reversable security would be a sham at best.

There was some interesting code submitted by Engineers
at Novell for utilizing the clear text password in eDirectory.
The password is pulled via an extended LDAP operation from the
DSA (over ldaps).  smbd can then generate the lm and nt
hashes from this therefore allowing one password to be stored.
We could do the same thing with OpenLDAP if people felt this
was helpful.  I.e. Is storing 'userPassword: {clear}secret'
worth the single password configuration?

And before anyone yells the word 'security!', the danger
is in obtaining the OpenLDAP db files.  It is possible to
security the password from unauthorized LDAP client access.
Of course, the security settings are slightly more challenging
than relying on hashes password being stored in the directory.
However, the lm and nt password hashes are clear text equivalent
so for those people using Samba, using {clear} would be
only slightly more scary.

Just some thoughts.




cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWHnBIR7qMdg1EfYRAvF7AKC8LncAEWau/F1kWjSs2SK7bDBTKQCeIRXw
j8shu94KfMSCtSTtpGGS+nw=
=LUig
-----END PGP SIGNATURE-----



More information about the samba mailing list