your mail
Danny Braniss
danny at cs.huji.ac.il
Fri May 22 15:19:32 GMT 1998
In message <Pine.LNX.3.96.980522142543.5288w-100000 at regent.cb1.com>you write:
}danny, can we move this to samba-technical? send me bits you think should
}be private (like the sec by ob) private...
done. im only cc'ing this one to you just in case.
}
}On Fri, 22 May 1998, Danny Braniss wrote:
}
}> depends, for unix i just pass the hash, for nt/win i also pass the
}> challenge, and it also does OTP,
}
}what is otp?
One Time Password - we have these cards that generate a otp, for
people that login from untrusted-sites, and will be giving them out to
student's so they can work in the open spaces.
}so you are implementing pass-through, or trusted domains, already? in
}fact what you've done is make samba a "client" of your authentication
}system.
}
}what we have in samba with the current password database api is a
}"server".
}
}so in fact what you would ideally need to do is to put the samba passdb.c
}etc API code into your _authentication_ server!
}
}damn and bugger. tricky. let me think about this one.
}
the way i see it, i'm moving towards the Unified Theory of Relativity ...
one authetication server for all.
}
}
}are you sure that if you can "set" the LM/NT passwords you can't add a
}"get"? NIS+ and ldap have the ability to do encrypted fields: can you not
}do "radius", which i assume is some encryption method, between the samba
}server and your authentication server?
}
I can do what i please to do, but then again, it's a production system
serving over 300 ws. Since the net is switched, im not woried about
sniffing. and samba is running on a 'safe/secure' host - we have intel
boxes to spare.
the main problem i have with my authentication-server
(idNG), is that clients must believe the answer comming from it, and
so im working on a pgp base encryption. anyway, let me see what you
have done and i'll see what i can do.
}
}
}in that case if you can call a "set LM/NT hash", which is clear-text
}equivalent and presumably gets passed either in-the-clear (which is a
}security risk) or two-way-encrypted (ssl / rc4 / radius?), to the
}authentication server, why can you not add a "get LM/NT hash"?
}
}> what i did to enable nt-dom, was that when a user in the unix domain,
}> requests authentication, and it's ok, and there is yet no nt/lm
}> password i generate one.
}
}how? from what? from the clear-text password?
}
yes.
}danny, if you want your database to support NT domains, you are going to
}need to support "get/add/mod" for a complete struct smb_passwd or struct
}sam_passwd entry: these both have NT and LM hashes. if you need a unix
}password in there too, we can add a unix_crypt field, too, but only to
}struct sam_passwd.
}
}the reason is that to do SAM replication, one Samba PDC needs to be able
}to obtain a complete struct sam_passwd entry and transfer it to a BDC.
}
im not planing, at this stage to run a BDC - i am runing with 2
namesevers, one NIS server, and one authentication-server and things
are very stable -- FLW (Famous Last Words :-). I might need a BDC if I
go ahead and subnet/vlan the network.
}you also need it for checking the old password, when changing passwords.
}
to change the password, the API sends both the old and new, if ok then
the change is made - to all hashes - unix,nt,ln.
}
}> ps: btw, im doing yet another cvs xfer, no signes of pdb_ -yet-, it's
}> BRANCH_NTDOM yes?
}
}no - main branch. what will become 1.9.19alpha soon. BRANCH_NTDOM was
}dropped about six to eight weeks ago.
}
}
}keep going, we'll get there!
}
good thing im not paying for net usage :-)
danny
More information about the samba-technical
mailing list