Fedora directory users - Jan 2006 - NT Password Hash Storage

I''m working on getting wireless network clients to do authentication
via
radius plugged into Fedora DS.  Windows will do PEAP for authentication, 
which encrypts the mschapv2 password check.  FreeRadius supports this 
and all works well, except...

For Radius to do mschapv2, using Fedora DS, the NT hash of the password 
must be in the directory.  It cannot use the regular user''s password.

I used a perl script to hash a password and put it in a user''s entry, 
using ntusercomment (for lack of finding a better field), told 
FreeRadius that ntusercomment is the NT-Password field it''s looking
for,
and I was able to successfully authenticate from a Windows box over the 
wireless card using WAP.  Obviously this is not a good long term solution.

1) Does anyone know of a better way to store NT password hashes in the 
directory? 

2) Is there a way to update the hash when the user changes their 
password?  Maybe have DS call a perl script when a password change occurs?

3) Is there a better way of doing this?

Thank you,

On Fri, 2006-01-13 at 12:35 -0500, Roger Spencer wrote:
> I''m working on getting wireless network clients to do
authentication via
> radius plugged into Fedora DS.  Windows will do PEAP for authentication, 
> which encrypts the mschapv2 password check.  FreeRadius supports this 
> and all works well, except...
> 
> For Radius to do mschapv2, using Fedora DS, the NT hash of the password 
> must be in the directory.  It cannot use the regular user''s
password.
> 
> I used a perl script to hash a password and put it in a user''s
entry,
> using ntusercomment (for lack of finding a better field), told 
> FreeRadius that ntusercomment is the NT-Password field it''s
looking for,
> and I was able to successfully authenticate from a Windows box over the 
> wireless card using WAP.  Obviously this is not a good long term solution.
> 
> 1) Does anyone know of a better way to store NT password hashes in the 
> directory? 
> 
> 2) Is there a way to update the hash when the user changes their 
> password?  Maybe have DS call a perl script when a password change occurs?
> 
> 3) Is there a better way of doing this?
> 
----
I am unclear how you are doing authentication by Windows users to the
network in a normal login...via AD?

anyway, my inclination is to setup Fedora-DS to use samba schema

http://directory.fedora.redhat.com/wiki/Howto:Samba

as that would give you a sambaNTPassword attribute which is normally the
hashed password as expected but how that relates to question
#2...updating the hash when the user changes their password...I suppose
that would depend upon the chain of events that occur where/when the
user changes their password...how is this information going to be sent
to fedora-ds?

Craig

Craig White wrote:
>><..snip..>
>>    
>>
>----
>I am unclear how you are doing authentication by Windows users to the
>network in a normal login...via AD?
>
>anyway, my inclination is to setup Fedora-DS to use samba schema
>
>http://directory.fedora.redhat.com/wiki/Howto:Samba
>
>as that would give you a sambaNTPassword attribute which is normally the
>hashed password as expected but how that relates to question
>#2...updating the hash when the user changes their password...I suppose
>that would depend upon the chain of events that occur where/when the
>user changes their password...how is this information going to be sent
>to fedora-ds?
>
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
When I arrived on the scene, network authentication for windows clients 
consisted of setting a local user id and password on a PC and setting 
the same user id and password on a stand-alone samba server.  Of course, 
users had different ids for email, vpn, shared-keys for wireless, etc. 
and passwords never changed (there was a partial NIS setup going, so all 
was not bleak).

What I''m doing is consolidating it all into FDS with the benifit of a 
password policy.  The samba schema worked great and also gets samba 
using FDS for authentication.  But this leaves one question:  what to do 
about having two sets of passwords in FDS?

With samba running as an NT domain controller, and having PCs join the 
domain, samba should take care of keeping the sambantpassord correct 
when a Windows user changes their password.  But what of the userpassord 
attribute?  What happens when that same user does an ssh session into a 
Linux server, which if I understand correctly, will use the userpassword 
attribute for authentication?

Is there a way to keep the two password attributes in sync?  I''m not 
sure if it''s possible to have all devices needing to do authentication 
to use the NT style.

Yes.  We need a plug-in that will take updates to userPassword and 
update sambaNTPassword (and vice versa) and possibly other related 
things like the sambaLMPassword.

Any volunteers?  Mark McLoughlin posted some pyldap code that does this, 
and I believe OpenLDAP has a samba module/overlay that does this.

Roger Spencer wrote:
>
> Craig White wrote:
>
>>><..snip..>
>>>    
>>>
>>----
>>I am unclear how you are doing authentication by Windows users to the
>>network in a normal login...via AD?
>>
>>anyway, my inclination is to setup Fedora-DS to use samba schema
>>
>>http://directory.fedora.redhat.com/wiki/Howto:Samba
>>
>>as that would give you a sambaNTPassword attribute which is normally the
>>hashed password as expected but how that relates to question
>>#2...updating the hash when the user changes their password...I suppose
>>that would depend upon the chain of events that occur where/when the
>>user changes their password...how is this information going to be sent
>>to fedora-ds?
>>
>>Craig
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users@redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>  
>>
>
> When I arrived on the scene, network authentication for windows 
> clients consisted of setting a local user id and password on a PC and 
> setting the same user id and password on a stand-alone samba server.  
> Of course, users had different ids for email, vpn, shared-keys for 
> wireless, etc. and passwords never changed (there was a partial NIS 
> setup going, so all was not bleak).
>
> What I''m doing is consolidating it all into FDS with the benifit
of a
> password policy.  The samba schema worked great and also gets samba 
> using FDS for authentication.  But this leaves one question:  what to 
> do about having two sets of passwords in FDS?
>
> With samba running as an NT domain controller, and having PCs join the 
> domain, samba should take care of keeping the sambantpassord correct 
> when a Windows user changes their password.  But what of the 
> userpassord attribute?  What happens when that same user does an ssh 
> session into a Linux server, which if I understand correctly, will use 
> the userpassword attribute for authentication?
>
> Is there a way to keep the two password attributes in sync?  I''m
not
> sure if it''s possible to have all devices needing to do
authentication
> to use the NT style.
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

I don''t think I have the skill set to write something, but I''m
willing
to poke around with the OpenLDAP samba module and look at the pyldap 
plugin (where is it at?).

Richard Megginson wrote:
> Yes.  We need a plug-in that will take updates to userPassword and 
> update sambaNTPassword (and vice versa) and possibly other related 
> things like the sambaLMPassword.
>
> Any volunteers?  Mark McLoughlin posted some pyldap code that does 
> this, and I believe OpenLDAP has a samba module/overlay that does this.
>
> Roger Spencer wrote:
>
>>
>> Craig White wrote:
>>
>>>> <..snip..>
>>>>   
>>>
>>> ----
>>> I am unclear how you are doing authentication by Windows users to
the
>>> network in a normal login...via AD?
>>>
>>> anyway, my inclination is to setup Fedora-DS to use samba schema
>>>
>>> http://directory.fedora.redhat.com/wiki/Howto:Samba
>>>
>>> as that would give you a sambaNTPassword attribute which is
normally
>>> the
>>> hashed password as expected but how that relates to question
>>> #2...updating the hash when the user changes their password...I
suppose
>>> that would depend upon the chain of events that occur where/when
the
>>> user changes their password...how is this information going to be
sent
>>> to fedora-ds?
>>>
>>> Craig
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>  
>>>
>>
>> When I arrived on the scene, network authentication for windows 
>> clients consisted of setting a local user id and password on a PC and 
>> setting the same user id and password on a stand-alone samba server.  
>> Of course, users had different ids for email, vpn, shared-keys for 
>> wireless, etc. and passwords never changed (there was a partial NIS 
>> setup going, so all was not bleak).
>>
>> What I''m doing is consolidating it all into FDS with the
benifit of a
>> password policy.  The samba schema worked great and also gets samba 
>> using FDS for authentication.  But this leaves one question:  what to 
>> do about having two sets of passwords in FDS?
>>
>> With samba running as an NT domain controller, and having PCs join 
>> the domain, samba should take care of keeping the sambantpassord 
>> correct when a Windows user changes their password.  But what of the 
>> userpassord attribute?  What happens when that same user does an ssh 
>> session into a Linux server, which if I understand correctly, will 
>> use the userpassword attribute for authentication?
>>
>> Is there a way to keep the two password attributes in sync? 
I''m not
>> sure if it''s possible to have all devices needing to do 
>> authentication to use the NT style.
>>
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>  
>>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Roger Spencer wrote:
> I don''t think I have the skill set to write something, but
I''m willing
> to poke around with the OpenLDAP samba module and look at the pyldap 
> plugin (where is it at?).
Don''t worry about it then.  We''ll have to get a C coder to
take a look
at it.
>
> Richard Megginson wrote:
>
>> Yes.  We need a plug-in that will take updates to userPassword and 
>> update sambaNTPassword (and vice versa) and possibly other related 
>> things like the sambaLMPassword.
>>
>> Any volunteers?  Mark McLoughlin posted some pyldap code that does 
>> this, and I believe OpenLDAP has a samba module/overlay that does this.
>>
>> Roger Spencer wrote:
>>
>>>
>>> Craig White wrote:
>>>
>>>>> <..snip..>
>>>>>   
>>>>
>>>> ----
>>>> I am unclear how you are doing authentication by Windows users
to the
>>>> network in a normal login...via AD?
>>>>
>>>> anyway, my inclination is to setup Fedora-DS to use samba
schema
>>>>
>>>> http://directory.fedora.redhat.com/wiki/Howto:Samba
>>>>
>>>> as that would give you a sambaNTPassword attribute which is 
>>>> normally the
>>>> hashed password as expected but how that relates to question
>>>> #2...updating the hash when the user changes their password...I
>>>> suppose
>>>> that would depend upon the chain of events that occur
where/when the
>>>> user changes their password...how is this information going to
be sent
>>>> to fedora-ds?
>>>>
>>>> Craig
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>  
>>>>
>>>
>>> When I arrived on the scene, network authentication for windows 
>>> clients consisted of setting a local user id and password on a PC 
>>> and setting the same user id and password on a stand-alone samba 
>>> server.  Of course, users had different ids for email, vpn, 
>>> shared-keys for wireless, etc. and passwords never changed (there 
>>> was a partial NIS setup going, so all was not bleak).
>>>
>>> What I''m doing is consolidating it all into FDS with the
benifit of
>>> a password policy.  The samba schema worked great and also gets 
>>> samba using FDS for authentication.  But this leaves one question:
>>> what to do about having two sets of passwords in FDS?
>>>
>>> With samba running as an NT domain controller, and having PCs join 
>>> the domain, samba should take care of keeping the sambantpassord 
>>> correct when a Windows user changes their password.  But what of
the
>>> userpassord attribute?  What happens when that same user does an
ssh
>>> session into a Linux server, which if I understand correctly, will 
>>> use the userpassword attribute for authentication?
>>>
>>> Is there a way to keep the two password attributes in sync? 
I''m not
>>> sure if it''s possible to have all devices needing to do 
>>> authentication to use the NT style.
>>>
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>  
>>>
>>------------------------------------------------------------------------
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users@redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>  
>>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

El jue, 19-01-2006 a las 12:50 -0700, Richard Megginson
escribió:
> Yes.  We need a plug-in that will take updates to userPassword and 
> update sambaNTPassword (and vice versa) and possibly other related 
> things like the sambaLMPassword.
> 
> Any volunteers?  Mark McLoughlin posted some pyldap code that does this, 
> and I believe OpenLDAP has a samba module/overlay that does this.
I believe this is what the smbldap-tools'' smbldap-passwd command does.

It looks like the smbldap-tools work pretty well with FDS.
-- 
Oscar A. Valdez

That shouldn''t be necessary for samba users.

smb.conf - global section

ldap passwd sync = yes

from man page for smb.conf

ldap passwd sync (G)
This  option  is used to define whether or not Samba should sync
the LDAP password with the NT and LM hashes for normal  accounts
(NOT  for  workstation,  server  or domain trusts) on a password
change via SAMBA.

The ldap passwd sync can be set to one of three values:

Yes = Try to update the LDAP, NT and LM passwords and update the
pwdLastSet time.

No  =  Update  NT  and LM passwords and update the pwdLastSet time.

Only = Only update the LDAP password and let the LDAP server do the
rest.

Of course this only handles instances where the user changes his windows
password from Windows but that was the direction of the OP as I
understood him.

Craig

On Thu, 2006-01-19 at 12:50 -0700, Richard Megginson
wrote:
> Yes.  We need a plug-in that will take updates to userPassword and 
> update sambaNTPassword (and vice versa) and possibly other related 
> things like the sambaLMPassword.
> 
> Any volunteers?  Mark McLoughlin posted some pyldap code that does this, 
> and I believe OpenLDAP has a samba module/overlay that does this.
> 
> Roger Spencer wrote:
> 
> >
> > Craig White wrote:
> >
> >>><..snip..>
> >>>    
> >>>
> >>----
> >>I am unclear how you are doing authentication by Windows users to
the
> >>network in a normal login...via AD?
> >>
> >>anyway, my inclination is to setup Fedora-DS to use samba schema
> >>
> >>http://directory.fedora.redhat.com/wiki/Howto:Samba
> >>
> >>as that would give you a sambaNTPassword attribute which is
normally the
> >>hashed password as expected but how that relates to question
> >>#2...updating the hash when the user changes their password...I
suppose
> >>that would depend upon the chain of events that occur where/when
the
> >>user changes their password...how is this information going to be
sent
> >>to fedora-ds?
> >>
> >>Craig
> >>
> >>--
> >>Fedora-directory-users mailing list
> >>Fedora-directory-users@redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>  
> >>
> >
> > When I arrived on the scene, network authentication for windows 
> > clients consisted of setting a local user id and password on a PC and 
> > setting the same user id and password on a stand-alone samba server.  
> > Of course, users had different ids for email, vpn, shared-keys for 
> > wireless, etc. and passwords never changed (there was a partial NIS 
> > setup going, so all was not bleak).
> >
> > What I''m doing is consolidating it all into FDS with the
benifit of a
> > password policy.  The samba schema worked great and also gets samba 
> > using FDS for authentication.  But this leaves one question:  what to 
> > do about having two sets of passwords in FDS?
> >
> > With samba running as an NT domain controller, and having PCs join the
> > domain, samba should take care of keeping the sambantpassord correct 
> > when a Windows user changes their password.  But what of the 
> > userpassord attribute?  What happens when that same user does an ssh 
> > session into a Linux server, which if I understand correctly, will use
> > the userpassword attribute for authentication?
> >
> > Is there a way to keep the two password attributes in sync? 
I''m not
> > sure if it''s possible to have all devices needing to do
authentication
> > to use the NT style.
> >
>
>------------------------------------------------------------------------
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users@redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >  
> >
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

On Thu, 2006-01-19 at 17:20 -0700, Craig White wrote:
> That shouldn''t be necessary for samba users.
> 
> smb.conf - global section
> 
> ldap passwd sync = yes
> 
> from man page for smb.conf
> 
> ldap passwd sync (G)
> This  option  is used to define whether or not Samba should sync
> the LDAP password with the NT and LM hashes for normal  accounts
> (NOT  for  workstation,  server  or domain trusts) on a password
> change via SAMBA.
         ^^^^^^^^^

	Right, but if you want to allow password directly through the
directory, you''d need a plugin which updates the NT and LM hashes.

Cheers,
Mark.

On Fri, 2006-01-20 at 07:37 +0000, Mark McLoughlin
wrote:
> On Thu, 2006-01-19 at 17:20 -0700, Craig White wrote:
> > That shouldn''t be necessary for samba users.
> > 
> > smb.conf - global section
> > 
> > ldap passwd sync = yes
> > 
> > from man page for smb.conf
> > 
> > ldap passwd sync (G)
> > This  option  is used to define whether or not Samba should sync
> > the LDAP password with the NT and LM hashes for normal  accounts
> > (NOT  for  workstation,  server  or domain trusts) on a password
> > change via SAMBA.
>          ^^^^^^^^^
> 
> 	Right, but if you want to allow password directly through the
> directory, you''d need a plugin which updates the NT and LM hashes.
----
I presume that you are speaking of setting the sambaNTPassword and
sambaLMPassword attributes from the console application. That would be
nice. In fact, their should be a ''view/edit template'' for
samba
attributes similar to that for the posix stuff too.

The OP was interested in changing via samba and that was the basis of my
answer.

Craig

On Fri, 2006-01-20 at 06:46 -0700, Craig White wrote:
> I presume that you are speaking of setting the sambaNTPassword and
> sambaLMPassword attributes from the console application. 
	Nope, it would be a slapd plugin which would automatically update those
attributes when you change the userPassword attribute.

Cheers,
Mark.

On Fri, 2006-01-20 at 07:46, Craig White wrote:
> > 	Right, but if you want to allow password directly through the
> > directory, you''d need a plugin which updates the NT and LM
hashes.
> ----
> I presume that you are speaking of setting the sambaNTPassword and
> sambaLMPassword attributes from the console application. That would be
> nice. In fact, their should be a ''view/edit template'' for
samba
> attributes similar to that for the posix stuff too.
> 
> The OP was interested in changing via samba and that was the basis of my
> answer.
Doesn''t running sambapasswd from the command line do that if you
have set samba up to sync?  Or is it only when changed from
windows?  Does pam have password-changing hooks that can be
used to make all password changes work the same way for
any pam-aware app?

-- 
  Les Mikesell
    lesmikesell@gmail.com

On Fri, 2006-01-20 at 13:49 +0000, Mark McLoughlin
wrote:
> On Fri, 2006-01-20 at 06:46 -0700, Craig White wrote:
> 
> > I presume that you are speaking of setting the sambaNTPassword and
> > sambaLMPassword attributes from the console application. 
> 
> 	Nope, it would be a slapd plugin which would automatically update those
> attributes when you change the userPassword attribute.
> 
----
of course you would have an on/off switch for that since I don''t think
that everyone desires that function and for the most part, has other
ways of obtaining that already (hence simultaneous updates of
userPassword/sambaNTPassword/sambaLMPassword attributes from their
client applications).

Craig

On Fri, 2006-01-20 at 08:09 -0600, Les Mikesell wrote:
> On Fri, 2006-01-20 at 07:46, Craig White wrote:
> 
> > > 	Right, but if you want to allow password directly through the
> > > directory, you''d need a plugin which updates the NT and
LM hashes.
> > ----
> > I presume that you are speaking of setting the sambaNTPassword and
> > sambaLMPassword attributes from the console application. That would be
> > nice. In fact, their should be a ''view/edit
template'' for samba
> > attributes similar to that for the posix stuff too.
> > 
> > The OP was interested in changing via samba and that was the basis of
my
> > answer.
> 
> Doesn''t running sambapasswd from the command line do that if you
> have set samba up to sync?  Or is it only when changed from
> windows?  Does pam have password-changing hooks that can be
> used to make all password changes work the same way for
> any pam-aware app?
----
password changes via smbpasswd would change userPassword attribute if
''ldap passwd sync = yes'' in smb.conf

I wouldn''t know about pam capabilities but I don''t think so.

Craig