[Samba] LDAP and the Password attrtibute in SAMBA

Andrew Bartlett abartlet at samba.org
Sun Apr 10 10:52:12 GMT 2005


On Sat, 2005-04-09 at 17:56 -0700, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Paul Gienger wrote:
> |
> | Windows encrypts the password on the client side and
> | sends the password hash over the wire encrypted.  Once it
> | gets to the server, the server simply compars the hashes
> | and gives the virtual thumbs up/down on it.
> 
> Not quite.  The authentication is a challenge/response
> mechanism with the actual password hash never going over the
> wire.  Only values derived by using the pw hash.
> 
> | The crux of the problem is that neither password
> | hash is reversable, UNIX or Windows, which is why
> | the hash is worth the bits it's stored in... if they
> | were reversable security would be a sham at best.
> 
> There was some interesting code submitted by Engineers
> at Novell for utilizing the clear text password in eDirectory.
> The password is pulled via an extended LDAP operation from the
> DSA (over ldaps).  smbd can then generate the lm and nt
> hashes from this therefore allowing one password to be stored.
> We could do the same thing with OpenLDAP if people felt this
> was helpful.  I.e. Is storing 'userPassword: {clear}secret'
> worth the single password configuration?

I do think this could be useful, and considered writing this up in the
past.  I was actually hoping that this would be how the eDirectory
password would be exposed to Samba.  The cleartext can be useful beyond
just Samba - the generic Cyrus-SASL code needs a cleartext password, and
it would be nice for a site to be able to deploy Samba and these other
systems without plaintext + hashes.  (Likewise for Heimdal for a KDC).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050410/49f55996/attachment.bin


More information about the samba mailing list