thr3ads.net - samba - [Samba] passwords - windows - clear or hashed over wire? [Feb 2002]

If this information is useful, please help other people find it:
Share via:

Terry Davis

2002-Feb-04 16:56 UTC

[Samba] passwords - windows - clear or hashed over wire?

Hello,

I am testing some things and coming up with weird results.
Here is the scoop:

I have samba set to:
unix password sync = yes
pam password change = yes

I am trying to test what is going on when I change a user's password 
from a windows box using the windows password utility.  Here is what 
happens.

If I have /etc/pam.d/samba set to:
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

samba changes the smbpasswd file to update the changes I made in windows 
to the password.  It stores the passwords hashed as expected.

If I set /etc/pam.d/samba to:
auth       required     pam_ldap.so
account    required     pam_ldap.so
session    required     pam_ldap.so
password   required     pam_ldap.so

then samba changes the password in the ldap server.   This is great!! 
One problem, it changes the password in ldap to be clear!   How does it 
do this?  I didn't think windows sent the password accross the wire in 
the clear.

Any smart people wanna figure this one out?
Thank you!

-- 
Terry Davis
Systems Administrator
BirdDog Solutions, Inc.
(402) 829-6059
www.birddog.com

Chris Bünger

2002-Feb-04 23:07 UTC

head link

[Samba] passwords - windows - clear or hashed over wire?

I found this in the smb.conf man page:

The default behavior
 is  to  use  PAM for clear text authentication only
 and to ignore any account  or  session  management.

does this have something to do with your issue.

chris

----- Original Message ----- 
From: "Terry Davis" <tdavis@birddog.com>
To: <samba@lists.samba.org>
Sent: Monday, February 04, 2002 10:23 PM
Subject: [Samba] passwords - windows - clear or hashed over wire?

> Hello,
> 
> I am testing some things and coming up with weird results.
> Here is the scoop:
> 
> I have samba set to:
> unix password sync = yes
> pam password change = yes
> 
> I am trying to test what is going on when I change a user's password 
> from a windows box using the windows password utility.  Here is what 
> happens.
> 
> If I have /etc/pam.d/samba set to:
> auth       required     pam_nologin.so
> auth       required     pam_stack.so service=system-auth
> account    required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> 
> samba changes the smbpasswd file to update the changes I made in windows 
> to the password.  It stores the passwords hashed as expected.
> 
> If I set /etc/pam.d/samba to:
> auth       required     pam_ldap.so
> account    required     pam_ldap.so
> session    required     pam_ldap.so
> password   required     pam_ldap.so
> 
> then samba changes the password in the ldap server.   This is great!! 
> One problem, it changes the password in ldap to be clear!   How does it 
> do this?  I didn't think windows sent the password accross the wire in 
> the clear.
> 
> Any smart people wanna figure this one out?
> Thank you!
> 
> -- 
> Terry Davis
> Systems Administrator
> BirdDog Solutions, Inc.
> (402) 829-6059
> www.birddog.com
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
>

Terry Davis

2002-Feb-05 00:37 UTC

head link

[Samba] passwords - windows - clear or hashed over wire?

Andrew Bartlett wrote:
> Terry Davis wrote:
> 
>>Hello,
>>
>>I am testing some things and coming up with weird results.
>>Here is the scoop:
>>
>>I have samba set to:
>>unix password sync = yes
>>pam password change = yes
>>
>>I am trying to test what is going on when I change a user's password
>>from a windows box using the windows password utility.  Here is what
>>happens.
>>
>>If I have /etc/pam.d/samba set to:
>>auth       required     pam_nologin.so
>>auth       required     pam_stack.so service=system-auth
>>account    required     pam_stack.so service=system-auth
>>session    required     pam_stack.so service=system-auth
>>password   required     pam_stack.so service=system-auth
>>
>>samba changes the smbpasswd file to update the changes I made in windows
>>to the password.  It stores the passwords hashed as expected.
>>
>>If I set /etc/pam.d/samba to:
>>auth       required     pam_ldap.so
>>account    required     pam_ldap.so
>>session    required     pam_ldap.so
>>password   required     pam_ldap.so
>>
>>then samba changes the password in the ldap server.   This is great!!
>>One problem, it changes the password in ldap to be clear!   How does it
>>do this?  I didn't think windows sent the password accross the wire
in
>>the clear.
>>
> 
> Windows sends the *new* password in the clear, so it can be
> strength-checked etc.  
> 
> The LDAP stuff is entirly within pam_ldap.so, and I would suggest you
> see if the /etc/ldap.conf file allows you to configure its behaviour. (I
> think it does).
> 
> Andrew Bartlett
> 
> 
Hrm, I didnt see anything in the clear.  Would this be done over tcp 
port 139?

Thank you for your help.  It is greatly appreciated!



-- 
Terry Davis
Systems Administrator
BirdDog Solutions, Inc.
(402) 829-6059

Andrew Bartlett

2002-Feb-05 03:39 UTC

head link

[Samba] passwords - windows - clear or hashed over wire?

Terry Davis wrote:> 
> Hrm, I didnt see anything in the clear.  Would this be done over tcp
> port 139?
Well its not quite cleartext - its encrypted with the previous password.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Gerald Carter

2002-Feb-05 12:28 UTC

head link

[Samba] passwords - windows - clear or hashed over wire?

On Mon, 4 Feb 2002, Terry Davis wrote:
> If I set /etc/pam.d/samba to:
> auth       required     pam_ldap.so
> account    required     pam_ldap.so
> session    required     pam_ldap.so
> password   required     pam_ldap.so
> 
> then samba changes the password in the ldap server.   This is great!! 
> One problem, it changes the password in ldap to be clear!   How does it 
> do this?  I didn't think windows sent the password accross the wire in 
> the clear.
This will be a characteristic of the pam_ldap.so library.  You should use 
ssl when connecting to the LDAP server.  See the examples in the 
/etc/ldap.conf file include with your linux distribution.







chau, jerry
 ---------------------------------------------------------------------
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN
0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

samba - Feb 2002 - passwords - windows - clear or hashed over wire?

[Samba] passwords - windows - clear or hashed over wire?

[Samba] passwords - windows - clear or hashed over wire?

[Samba] passwords - windows - clear or hashed over wire?

[Samba] passwords - windows - clear or hashed over wire?

[Samba] passwords - windows - clear or hashed over wire?