[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Samba setup w/ ldap vs NIS/NT domain



On Tue, 16 Apr 2002, Steve Langasek wrote:

>On Mon, Apr 15, 2002 at 05:42:44PM -0700, Eric Harrison wrote:

>> The LDAP support in Samba 2.2.3a is not clear text (well, depends on how you
>> define clear text ;-). What we did was add the Lanman & NT passwords to the
>> LDAP schema and Samba queries for them there rather than /etc/smbpasswd.
>> Thus it is the hash that passed back and forth from the windows box and
>> Samba, which is the same level of security (or insecurity if you prefer)
>> that you get authenticating against a NT4.0 server.
>
>The hashes themselves are more vulnerable if you're passing them across 
>the network in an unencrypted LDAP result set.  Since these hashes are 
>plaintext-equivalent (that is, if you have a user's hash, you can
>impersonate the user with impunity), it is important to protect those 
>hashes from being exposed.  So in fact, SAM LDAP without proper 
>protections against sniffing is less secure than authenticating against an 
>NT4 server.

This is true for the communication between the Samba server and the LDAP
server, but it does not fix the plaintext-equivalent communication between
the Samba server and the windows client. As far as I understand, crypting
the LDAP<->Samba communication fixes only half the problem.

When I get a chance, we're going to try adding "lanman auth = no" to our
samba config & see how much breaks ;-)

>As long as you use encryption on your LDAP queries -- either SASL+GSSAPI 
>or SSL/TLS -- then you're ok.

SSL/TLS is the default.

-Eric





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]