[K12OSN] This is nuts! Samba/ldap almost fixed

[jamie]

Hey! Someone in the same boat I am HAHA! I am pretty sure all my passwords
are backwards. (how did that happen?) Could you post the script that would
switch them for me? I'm not so good with the perl... Need to get back on
that perl in 24 hours book ;)

I would try the other way but it will be years till everyone logs in. We
only have about 20% of the kids even using the servers, and most of them on
on Macs in the labs.

Thanks,
Jamie

On 4/14/04 6:43 PM, "Shahms E. King" <shahms at shahms.com> wrote:

> 
>> WHAT THE HECK?
>> 
>> So it seems samba 2.x with auth against either record (passwords switched ot
>> not). Samba 3 will only auth against the one record.
>> 
>> So I guess the problem is solved. Almost... I still would like to know how
>> this happened. Also my biggest concern it now I have to swap these for 3000
>> accounts. 
>> 
>> If anyone wants to chime in on that one let me know ;)
>> 
>> Jamie 
> 
> Jamie,
> 
> Indeed Samba 2.x will authenticate off of either hash (and in fact,
> checks them both).  Yes, it's a mild security and, in this case, hides a
> more insidious problem.  We actually have the same problem (which is one
> more reason we're still using Samba 2.2), compounded by the fact that
> both hashes look almost identical (/[A-F0-9]{32}/ if you want a regex to
> describe it ;-P), some, but not all of our user records have the
> passwords switched.  In your case (if you're certain that *all* of the
> hashes are backwards), it's relatively simple to script.
> 
> I can whip up a small shell script tomorrow and post it if you'd like.
> Alternatively, I might be able to whip up a patch to the Samba 2.x LDAP
> code to fix it "automagically" when a user logs in.  I'm not sure if
> that's actually doable (it's been a while since I wrote the code...),
> but I imagine it is.  The downside is you have to stick with your
> current setup until all of your users have logged in once...

- Jamie