[Samba] Migration from Ldap to Samba+Ldap
Charlie
medievalist at gmail.com
Fri May 30 23:18:38 GMT 2008
Apologies to the original poster for Rob & I chopping this all up...
On Fri, May 30, 2008 at 4:37 PM, Rob Shinn <rob.shinn at gmail.com> wrote:
> On Fri, May 30, 2008 at 3:12 PM, Charlie <medievalist at gmail.com> wrote:
>>
>> When I converted our networks to samba a decade or more ago, I started
>> out by trying to crack all our user passwords by brute force, but I
>> could only get about 90% of them in any reasonable time frame. So,
>
> Wow. *Only* 90%. Did the security admin have a cow? Perhaps your password
> policies were too lax?
Nowadays I could probably do better. There's more compute power
available, and rainbow tables are easy script-kiddy stuff these days.
But yes, I did have a cow, and yes, our password policies were (but no
longer are) certainly much too lax.
>> instead, we modified our password changing process to produce the NT
>> and LM hashes as well as the MD5 hashes and made all our users
>> passwords expire over the course of the next two weeks.
>
> Maybe it should be mentioned that this can be accomplished with the 'unix
> password sync = yes' if you are using pam_ldap on your Samba server.
AFAIK, that will only work *after* you've gotten synchronized to
start with. If you haven't any NT hashes, just MD5 hashes like the
original poster, your users can't log into samba since samba can't
supply an NT hash to the client PC with CHAP or whatever. Samba makes
it easy to maintain sync even though it's hard to establish sync
initially.
Oh, and "ldap password sync = yes" is probably more efficient -
keeps the name service switch and PAM out of the picture - but I think
you should watch out to make sure your LDAP transport is using the
encryption you want it to, or you might get plaintext or SHA hashes in
userPassword instead of salted MD5s.
--Charlie
More information about the samba
mailing list