[Likewise-open-discuss] Getting AD password hashes

Gerald (Jerry) Carter jerry at samba.org
Wed Apr 23 14:13:30 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Carl Johnson wrote:

>> Even given you had password (nt) hash it is still different hashing
>> algorithm than used for /etc/shadow passwords. The only way to sync
>> password would be Linux -> Windows (while changing it), but not the other
>> way around.
> 
> There are ways to get the correct hashing algorithm 
> out of Windows. Extending the AD schema with Services
> For UNIX is one way. From what I  understand, MS will
> then store cryponlt() hashes for you. Our Windows admin
> does not want to do this however.

I think this is the store with reversible encryption
mechanism right?  Certainly not the default.  Rafal's
point that the NT hash is a one-way hash is still valid.

> Another method is via the Password Synchronization 
> service, which actually sends a triple-DES encoded
> password change feed over the network to an MS-written
> ssod daemon on the unix side, which then passes
> the decrypted password to PAM. It even works 
> bidirectional. We are looking at this, but the unix
> code is old and has memory corruption issues on
> modern Linux distros. Since PAM actually does the
> password hashing in this scenario, it is indeed possible
> to do what I want. I'm looking to Likewise as a possible
> alternative however since ssod does not appear to be stable.

Likewise (as does Samba) authenticates the user against AD.
It is client side.  So my question of why synchronize passwords
in /etc/passwd when you can authenticate directly against AD
using security protocols is as yet unanswered.  If you could
help me understand why you require validating only against
local system files, that would help.  Thanks.

PS:  The Likewise PAM module (as does Samba) support
password changes in AD as well.  So this would seem to
meet your requirement for the solution be bidirecttional.





cheers, jerry
- --
=====================================================================
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFID6Z6IR7qMdg1EfYRApcgAKDqz6uKrkajDdyKHipBfm3+zKKgEQCgimLP
tI07l2uNgJ/FSz3bc+h8I+A=
=1Zna
-----END PGP SIGNATURE-----

More information about the Likewise-open-discuss mailing list