Terry Davis
2002-Feb-04 16:56 UTC
[Samba] passwords - windows - clear or hashed over wire?
Hello, I am testing some things and coming up with weird results. Here is the scoop: I have samba set to: unix password sync = yes pam password change = yes I am trying to test what is going on when I change a user's password from a windows box using the windows password utility. Here is what happens. If I have /etc/pam.d/samba set to: auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth samba changes the smbpasswd file to update the changes I made in windows to the password. It stores the passwords hashed as expected. If I set /etc/pam.d/samba to: auth required pam_ldap.so account required pam_ldap.so session required pam_ldap.so password required pam_ldap.so then samba changes the password in the ldap server. This is great!! One problem, it changes the password in ldap to be clear! How does it do this? I didn't think windows sent the password accross the wire in the clear. Any smart people wanna figure this one out? Thank you! -- Terry Davis Systems Administrator BirdDog Solutions, Inc. (402) 829-6059 birddog.com
Chris Bünger
2002-Feb-04 23:07 UTC
[Samba] passwords - windows - clear or hashed over wire?
I found this in the smb.conf man page: The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. does this have something to do with your issue. chris ----- Original Message ----- From: "Terry Davis" <tdavis@birddog.com> To: <samba@lists.samba.org> Sent: Monday, February 04, 2002 10:23 PM Subject: [Samba] passwords - windows - clear or hashed over wire?> Hello, > > I am testing some things and coming up with weird results. > Here is the scoop: > > I have samba set to: > unix password sync = yes > pam password change = yes > > I am trying to test what is going on when I change a user's password > from a windows box using the windows password utility. Here is what > happens. > > If I have /etc/pam.d/samba set to: > auth required pam_nologin.so > auth required pam_stack.so service=system-auth > account required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > > samba changes the smbpasswd file to update the changes I made in windows > to the password. It stores the passwords hashed as expected. > > If I set /etc/pam.d/samba to: > auth required pam_ldap.so > account required pam_ldap.so > session required pam_ldap.so > password required pam_ldap.so > > then samba changes the password in the ldap server. This is great!! > One problem, it changes the password in ldap to be clear! How does it > do this? I didn't think windows sent the password accross the wire in > the clear. > > Any smart people wanna figure this one out? > Thank you! > > -- > Terry Davis > Systems Administrator > BirdDog Solutions, Inc. > (402) 829-6059 > birddog.com > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/listinfo/samba > >
Terry Davis
2002-Feb-05 00:37 UTC
[Samba] passwords - windows - clear or hashed over wire?
Andrew Bartlett wrote:> Terry Davis wrote: > >>Hello, >> >>I am testing some things and coming up with weird results. >>Here is the scoop: >> >>I have samba set to: >>unix password sync = yes >>pam password change = yes >> >>I am trying to test what is going on when I change a user's password >>from a windows box using the windows password utility. Here is what >>happens. >> >>If I have /etc/pam.d/samba set to: >>auth required pam_nologin.so >>auth required pam_stack.so service=system-auth >>account required pam_stack.so service=system-auth >>session required pam_stack.so service=system-auth >>password required pam_stack.so service=system-auth >> >>samba changes the smbpasswd file to update the changes I made in windows >>to the password. It stores the passwords hashed as expected. >> >>If I set /etc/pam.d/samba to: >>auth required pam_ldap.so >>account required pam_ldap.so >>session required pam_ldap.so >>password required pam_ldap.so >> >>then samba changes the password in the ldap server. This is great!! >>One problem, it changes the password in ldap to be clear! How does it >>do this? I didn't think windows sent the password accross the wire in >>the clear. >> > > Windows sends the *new* password in the clear, so it can be > strength-checked etc. > > The LDAP stuff is entirly within pam_ldap.so, and I would suggest you > see if the /etc/ldap.conf file allows you to configure its behaviour. (I > think it does). > > Andrew Bartlett > >Hrm, I didnt see anything in the clear. Would this be done over tcp port 139? Thank you for your help. It is greatly appreciated! -- Terry Davis Systems Administrator BirdDog Solutions, Inc. (402) 829-6059
Andrew Bartlett
2002-Feb-05 03:39 UTC
[Samba] passwords - windows - clear or hashed over wire?
Terry Davis wrote:> > Hrm, I didnt see anything in the clear. Would this be done over tcp > port 139?Well its not quite cleartext - its encrypted with the previous password. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net samba.org build.samba.org hawkerc.net
Gerald Carter
2002-Feb-05 12:28 UTC
[Samba] passwords - windows - clear or hashed over wire?
On Mon, 4 Feb 2002, Terry Davis wrote:> If I set /etc/pam.d/samba to: > auth required pam_ldap.so > account required pam_ldap.so > session required pam_ldap.so > password required pam_ldap.so > > then samba changes the password in the ldap server. This is great!! > One problem, it changes the password in ldap to be clear! How does it > do this? I didn't think windows sent the password accross the wire in > the clear.This will be a characteristic of the pam_ldap.so library. You should use ssl when connecting to the LDAP server. See the examples in the /etc/ldap.conf file include with your linux distribution. chau, jerry --------------------------------------------------------------------- Hewlett-Packard hp.com SAMBA Team samba.org -- plainjoe.org "Sam's Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--