[K12OSN] This is nuts! Samba/ldap almost fixed
Shahms E. King
shahms at shahms.com
Thu Apr 15 01:43:14 UTC 2004
> WHAT THE HECK?
>
> So it seems samba 2.x with auth against either record (passwords switched ot
> not). Samba 3 will only auth against the one record.
>
> So I guess the problem is solved. Almost... I still would like to know how
> this happened. Also my biggest concern it now I have to swap these for 3000
> accounts.
>
> If anyone wants to chime in on that one let me know ;)
>
> Jamie
Jamie,
Indeed Samba 2.x will authenticate off of either hash (and in fact,
checks them both). Yes, it's a mild security and, in this case, hides a
more insidious problem. We actually have the same problem (which is one
more reason we're still using Samba 2.2), compounded by the fact that
both hashes look almost identical (/[A-F0-9]{32}/ if you want a regex to
describe it ;-P), some, but not all of our user records have the
passwords switched. In your case (if you're certain that *all* of the
hashes are backwards), it's relatively simple to script.
I can whip up a small shell script tomorrow and post it if you'd like.
Alternatively, I might be able to whip up a patch to the Samba 2.x LDAP
code to fix it "automagically" when a user logs in. I'm not sure if
that's actually doable (it's been a while since I wrote the code...),
but I imagine it is. The downside is you have to stick with your
current setup until all of your users have logged in once...
--
--Shahms
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20040414/55e87402/attachment.sig>
More information about the K12OSN
mailing list