Encrypted Passwords & Restricting Logon Attempts

Andrew Bartlett abartlet at samba.org
Wed Nov 27 20:53:01 GMT 2002 

On Thu, 2002-11-28 at 01:51, Jim Morris wrote:
> Andrew,
> 
> Thanks for your detailed response on this subject.
> 
> >> As everyone on this list is probably aware, the use of encrypted
> >> passwords and PAM password authentication are an apparently mutually
> >> exclusive options with Samba 2.2.x.  This is stated up front in the 
> >> help
> >> for the 'obey pam restrictions' option in the man page I believe.
> >
> > Just to make this clear, this is not of our choosing, it is just a
> > matter of how the protocol works.
> 
> Oh - I knew that when I composed my message.  That is also clear - PAM 
> does not support the challenge/response mechanism needed.  It still 
> seems to me that it should somehow be possible, if coded right.   Let's 
> say we have PAM setup on the system to actually authenticate against 
> the smbpasswd file, or an OpenLDAP server storing the passwords in 
> encrypted form.  Is there no way to do the handshaking at the Samba 
> level, with just one call to PAM?  Or do we need to read the 16-byte 
> hash or whatever is stored in the smbpasswd file, in order to check the 
> password?  I can see PAM not letting us do that....

It is technically possible to make PAM do a large number of things, but
really, you don't want to go there :-).  Doing so would remove the
purpose of using PAM - because you would no longer be able to use
arbitrary modules - only modules coded with this samba-specific hack.
:-)

> Ok - on plain texts passwords, you state:
> 
> > It would also prevent domain logons, and exposes bugs in other parts of
> > Microsoft's client.
> 
> The domain in this case is controlled by Samba. Most of the clients are 
> Windows 95/98 clients, and testing with Windows 98 seems to show that 
> it can do a 'domain logon'. For the record, I know that this is not 
> quite the same as the domain logon that Windows 2000 or NT clients will 
> do, and I have yet to test one of those clients.  (I spent a LOT of 
> time working through the domain logon stuff a couple of years ago when 
> working on those chapters of 'Special Edition, Using Samba' with 
> Richard Sharpe).  Anyway, I would only consider this switch to 
> plaintext passwords a temporary measure while I come up with something 
> better.
> 
> > I think that the easiest way to do this would be to look into Samba
> > 3.0's auth subsystem, and add a hook for WRONG_PASSORD return values.
> > This could update the same database that pam_tally uses.
> 
> Sounds like I need to pull a copy of HEAD from CVS and start getting 
> familiar with Samba 3.0.  Of course, I am assuming that the HEAD 
> revision is Samba 3.0 work in progress?

Samba 3.0 is now in alpha, and we have a separate CVS branch -
SAMBA_3_0.  There are also tarballs - but grab the CVS if you can.

> > We certainly need to work on this, and a number of other 'enterprise
> > grade' features.  There are a number of things that, as developers, we
> > don't notice, but user feedback (and in some cases, very good patches!)
> > has allowed us to support.
> >
> > This feature in particular should be picked up when we finish
> > implementing and better integrating account policy support.
> 
> Well, I have been looking for a contribution to make to Samba for a 
> long time.  My last direct contributions involved some OS/2 client 
> related debugging of Samba back in 1995, so its been a while!  It 
> sounds like this may be an area I could work on.
> 
> >> Alternatively, how difficult would it be to modify Samba to support an
> >> option like this directly, within the constructs of the smbpasswd 
> >> file?
> >
> > Yes, your best option is to modify Samba,
> 
> Ok - thanks for the advice.  Should I consider Samba 3.0 (CVS) as the 
> best starting point for such a process?

Yes.  For a samba-centric patch, I would do this by hooking into the
auth subystem in auth/auth.c.  We would then have to decide where to
store the counter - probably in the passdb subsystem as a simple
counter.  This has interesting complications on BDCs, but it probably
the best place to start.

We already have an account policy (lib/account_pol.c) to 'set' this
behavior, so that should probably control the new feature.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021127/37fd18d0/attachment.bin

More information about the samba-technical mailing list