[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Win9x<->SMB<->LDAP

nt and win9x password changes send the plain-text Unicode and plain-text
dos-codepage-bastardised-ascii respectively -- encrypted with the user's
old password hash.

On Mon, 24 Apr 2000, Jeff Mandel wrote:

> Thanks, Steve, for the response. Samba authenticates against ldap by
> calling getpw routine. Thanks to the nsswitch and nss_ldap and pam_ldap
> it can look up the account and authenticate.
> The problem comes when encrypted passwords is turned on on the Win95
> client. It then sends a hash that the pam_ldap doesn't decode, and has
> nothing to compare against in LDAP.
> Help me here because this is where things turn vague. It looks like your
> module calls getsmbpwent. Is that smbpwent specific to the smbpassd
> file, or will it roll out to nsswitch if there is no entry in the
> smbdpasswd file?
> With regards to pam and LDAP:
> Is the LDAP support idea to store a password that would have been in the
> smbpasswd file as attribute to an LDAP entry? I didn't see any
> documentation on which attributes to setup or if any additional object
> classes were needed.

i wouldn't recommend doing this.  i would recommend just using pam_smbpass
(or pam_ntpass if anyone wishes t write it, it's a simple matter of
cut/paste pam_smbpass and making one function call -
msrpc_samr_pwd_change()) and running samba.

samba should be the one controlling the access to the LDAP password hash
entries, particularly as it is necessary to store them in clear-text or
reversibly encrypted.

if you _must_ change the clear-text-equivalent lm# and nt#es directly, *do
not* consider sending 16 byte lm# or nt#es over-the-wire without
obfuscating them (e.g sshd tunneling between pam_smbldap_pass and the
remote ldap server).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []