OT: change NT login procedure
Simo Sorce
simo.sorce at polimi.it
Thu Feb 1 08:34:40 GMT 2001
On Wed, 31 Jan 2001, Gerald Carter wrote:
> Osama Abu-Aish wrote:
> >
> > In many environments NIS is used which sends the
> > passwd-hashes (which are cleartext equivalent) over
> > the wire. And AFAIK LDAP authentication sends also
> > the passwd in cleartext.
>
> Ummm....These two statements are wrong. DES password
> hashes used in /etc/passwd are not clear text equivalents.
> The use of salt in the encryption key make a given
> ascii string hash to different value each time. (as opposed to
> lanman/NT hashes which are plain text equivalents).
Right, and plus, linux for example may also share MD5 code passwords with
NIS and NIS+ should use a challenge response method before passing
passwords over an encrypted channel.
>
> Refer to the SASL implementations in the LDAP v3
> rfcs (2251 in particular) for more on LDAP binds.
> While there is a simple bind (clear text), this is not
> the only one available.
>
Right this one also.
I've also tested NISGINA and must say that it is unsuitable for
environments in which users have roaming profiles.
Basically NIS Gina CREATES a new localuser on the wks sam the first time
he(she) logs on, so profiles are local and cannot be made roaming as every
machine have a different SID/RID for the same NIS user.
I've thought a lot in past years for a solution for this problem, but
I've not M$ devlopment tools so I hardly can try anything.
I think the best way is not to replace the original gina but to add it
a wrapper on the change passowrd function (or the entire password asking
function) so that this layer may get the password and then pass the data
back to the original gina and let it continue.
Contemporaneusly a new facility may be added to samba to let the layer on
top of gina to send samba the cleartext password (on encrypted
connection) for syncing purposes.
This is the way until a better method will be implemented (LDAP+Kerberos?)
Simo.
--
Simo Sorce - Linux Systems Consultant
E-mail: simo.sorce at polimi.it
Tel: +39 0348 7149179 - Fax: +39 02 700442399
-----------------------------------------------------------------
Be happy, use Linux!
More information about the samba-technical
mailing list