Encrypted Passwords & Restricting Logon Attempts
Andrew Bartlett
abartlet at samba.org
Wed Nov 27 20:53:01 GMT 2002
On Thu, 2002-11-28 at 01:51, Jim Morris wrote:
> Andrew,
>
> Thanks for your detailed response on this subject.
>
> >> As everyone on this list is probably aware, the use of encrypted
> >> passwords and PAM password authentication are an apparently mutually
> >> exclusive options with Samba 2.2.x. This is stated up front in the
> >> help
> >> for the 'obey pam restrictions' option in the man page I believe.
> >
> > Just to make this clear, this is not of our choosing, it is just a
> > matter of how the protocol works.
>
> Oh - I knew that when I composed my message. That is also clear - PAM
> does not support the challenge/response mechanism needed. It still
> seems to me that it should somehow be possible, if coded right. Let's
> say we have PAM setup on the system to actually authenticate against
> the smbpasswd file, or an OpenLDAP server storing the passwords in
> encrypted form. Is there no way to do the handshaking at the Samba
> level, with just one call to PAM? Or do we need to read the 16-byte
> hash or whatever is stored in the smbpasswd file, in order to check the
> password? I can see PAM not letting us do that....
It is technically possible to make PAM do a large number of things, but
really, you don't want to go there :-). Doing so would remove the
purpose of using PAM - because you would no longer be able to use
arbitrary modules - only modules coded with this samba-specific hack.
:-)
> Ok - on plain texts passwords, you state:
>
> > It would also prevent domain logons, and exposes bugs in other parts of
> > Microsoft's client.
>
> The domain in this case is controlled by Samba. Most of the clients are
> Windows 95/98 clients, and testing with Windows 98 seems to show that
> it can do a 'domain logon'. For the record, I know that this is not
> quite the same as the domain logon that Windows 2000 or NT clients will
> do, and I have yet to test one of those clients. (I spent a LOT of
> time working through the domain logon stuff a couple of years ago when
> working on those chapters of 'Special Edition, Using Samba' with
> Richard Sharpe). Anyway, I would only consider this switch to
> plaintext passwords a temporary measure while I come up with something
> better.
>
> > I think that the easiest way to do this would be to look into Samba
> > 3.0's auth subsystem, and add a hook for WRONG_PASSORD return values.
> > This could update the same database that pam_tally uses.
>
> Sounds like I need to pull a copy of HEAD from CVS and start getting
> familiar with Samba 3.0. Of course, I am assuming that the HEAD
> revision is Samba 3.0 work in progress?
Samba 3.0 is now in alpha, and we have a separate CVS branch -
SAMBA_3_0. There are also tarballs - but grab the CVS if you can.
> > We certainly need to work on this, and a number of other 'enterprise
> > grade' features. There are a number of things that, as developers, we
> > don't notice, but user feedback (and in some cases, very good patches!)
> > has allowed us to support.
> >
> > This feature in particular should be picked up when we finish
> > implementing and better integrating account policy support.
>
> Well, I have been looking for a contribution to make to Samba for a
> long time. My last direct contributions involved some OS/2 client
> related debugging of Samba back in 1995, so its been a while! It
> sounds like this may be an area I could work on.
>
> >> Alternatively, how difficult would it be to modify Samba to support an
> >> option like this directly, within the constructs of the smbpasswd
> >> file?
> >
> > Yes, your best option is to modify Samba,
>
> Ok - thanks for the advice. Should I consider Samba 3.0 (CVS) as the
> best starting point for such a process?
Yes. For a samba-centric patch, I would do this by hooking into the
auth subystem in auth/auth.c. We would then have to decide where to
store the counter - probably in the passdb subsystem as a simple
counter. This has interesting complications on BDCs, but it probably
the best place to start.
We already have an account policy (lib/account_pol.c) to 'set' this
behavior, so that should probably control the new feature.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021127/37fd18d0/attachment.bin
More information about the samba-technical
mailing list