your mail
Danny Braniss
danny at cs.huji.ac.il
Sat May 23 17:22:31 GMT 1998
In message <Pine.LNX.3.96.980523142304.800E-100000 at regent.cb1.com>you write:
}
}> for the time being, samba generates that one on-the-fly (hash("host")),
}
}ok, if you support only this and do not support a direct "set NT 16 byte
}password hash", then you can't support the "workstation password change
}function", which is a workstation trust account set function. this is a
}security risk.
i see what you mean, hum, i will have do do some re-thinking here.
}
}> and i have an ACL (access-control-list) function that is used to
}> allow/disallow a user access to a specific ws, for example only first
}> year students have access to certain hosts, etc.
}
}cool! that is actually automatically supported, as it were, in NT SAMs.
}but only up to 8 workstations can be put in the list.
no limit here, a perl script generates entries like
host-01 netgroup-a,+john,etc
from a line
host-{00..1000} netgroup-a,+john,etc
and hesiod does the rest.
}
}>
}> }- a _direct_ change NT / LM password hash, ok
}> }
}> }- let's think. a "is_smb_passwd_ok(NThash and/or LMhash)" function:
}> }maybe. yeah, i reckon you could get away with this. we'd have to add it
}> }to the password api...
}> }
}> if you could unify all calls for (smb only?)authentication into:
}> is_smb_passwd_ok(user-name, type, challenge, NThash, LMhash)
}>
}> and type: i don't have a nice name - yet - but i see two types
}> according to the hash function to use:
}>
}> 1) for logon
}> 2) for all other services.
}
}all services use nt lm hashes. there actually need (and are) two versions
}of this function.
}
}one takes NT hash and LM hash; the other takes an 8 byte challenge plus
}the 24 byte NT response (generated by client from 16 byte blah blah) plus
}24 byte LM response (generate by client from blah blah) you know the
}score.
}
}these two functions already exist therefore in password.c. from what you
}are saying
if both are in password.c (didn't get a chance to look at yet) then it
will be easy, in the prev. releases they were in smbpass &
rpc_something-or-other (...intercative...()).
}
}> this is fun, im working in the garden, and i get down to the basement
}> for some e-mail exhanges, software/hardware.
}
}cool! how are the roses?
}
the roses are doing fine - not much reprograming there - it's the
bloody grass that keeps growing and growing and the weeds.
danny
More information about the samba-technical
mailing list