[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Samba setup w/ ldap vs NIS/NT domain

On Mon, Apr 15, 2002 at 05:42:44PM -0700, Eric Harrison wrote:
> On Sun, 14 Apr 2002, Mike Danahy wrote:

> >I do know that the iplanet directory server has an addon for NT
> >Synchronization services that will allow the sams database and/or the NT
> >user database to snyc up with an iplanet ldap server. There are two
> >software packages, one gets installed on the iplanet ldap server and the
> >other is installed on the NT server.  From what I have read commmunications
> >takes place between servers in clear text; ahh--more work to make it
> >secure.   I took this info from "Solaris and LDAP Naming Services" by Tom
> >Bialaski and Michael Haines.

> The LDAP support in Samba 2.2.3a is not clear text (well, depends on how you
> define clear text ;-). What we did was add the Lanman & NT passwords to the
> LDAP schema and Samba queries for them there rather than /etc/smbpasswd.
> Thus it is the hash that passed back and forth from the windows box and
> Samba, which is the same level of security (or insecurity if you prefer)
> that you get authenticating against a NT4.0 server.

The hashes themselves are more vulnerable if you're passing them across 
the network in an unencrypted LDAP result set.  Since these hashes are 
plaintext-equivalent (that is, if you have a user's hash, you can
impersonate the user with impunity), it is important to protect those 
hashes from being exposed.  So in fact, SAM LDAP without proper 
protections against sniffing is less secure than authenticating against an 
NT4 server.

As long as you use encryption on your LDAP queries -- either SASL+GSSAPI 
or SSL/TLS -- then you're ok.

> I believe they are working on the Kerberos support for win2k/xp in Samba 3.0.

And coming along quite well, from what I hear...

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]