[Likewise-open-discuss] Getting AD password hashes
Carl Johnson
likewise at carlivar.com
Wed Apr 23 14:01:16 PDT 2008
> Even given you had password (nt) hash it is still different hashing
> algorithm than used for /etc/shadow passwords. The only way to sync
> password would be Linux -> Windows (while changing it), but not the other
> way around.
There are ways to get the correct hashing algorithm out of Windows.
Extending the AD schema with Services For UNIX is one way. From what I
understand, MS will then store crypt() hashes for you. Our Windows admin
does not want to do this however.
Another method is via the Password Synchronization service, which
actually sends a triple-DES encoded password change feed over the
network to an MS-written ssod daemon on the unix side, which then passes
the decrypted password to PAM. It even works bidirectional. We are
looking at this, but the unix code is old and has memory corruption
issues on modern Linux distros. Since PAM actually does the password
hashing in this scenario, it is indeed possible to do what I want. I'm
looking to Likewise as a possible alternative however since ssod does
not appear to be stable.
Carl
More information about the Likewise-open-discuss
mailing list