[K12OSN] This is nuts! Samba/ldap almost fixed

Shahms E. King shahms at shahms.com
Thu Apr 15 01:43:14 UTC 2004

> So it seems samba 2.x with auth against either record (passwords switched ot
> not). Samba 3 will only auth against the one record.
> So I guess the problem is solved. Almost... I still would like to know how
> this happened. Also my biggest concern it now I have to swap these for 3000
> accounts. 
> If anyone wants to chime in on that one let me know ;)
> Jamie 


Indeed Samba 2.x will authenticate off of either hash (and in fact,
checks them both).  Yes, it's a mild security and, in this case, hides a
more insidious problem.  We actually have the same problem (which is one
more reason we're still using Samba 2.2), compounded by the fact that
both hashes look almost identical (/[A-F0-9]{32}/ if you want a regex to
describe it ;-P), some, but not all of our user records have the
passwords switched.  In your case (if you're certain that *all* of the
hashes are backwards), it's relatively simple to script.

I can whip up a small shell script tomorrow and post it if you'd like. 
Alternatively, I might be able to whip up a patch to the Samba 2.x LDAP
code to fix it "automagically" when a user logs in.  I'm not sure if
that's actually doable (it's been a while since I wrote the code...),
but I imagine it is.  The downside is you have to stick with your
current setup until all of your users have logged in once...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20040414/55e87402/attachment.sig>

More information about the K12OSN mailing list