[Likewise-open-discuss] Getting AD password hashes
Gerald (Jerry) Carter
jerry at samba.org
Thu Apr 24 05:56:14 PDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Carl Johnson wrote:
|>> If AD is not reachable, what happens?
|>
|> We store the salted MD hash of the NT hash in a protected
|> file on disk (another one-way hash) in order to support
|> cached logins. So for example, my laptop is joined to
|> a local AD domain in my office but I can still login
|> when traveling or working at coffee shops.
|>
|> This feature can be disabled if you prefer.
|
| What if the user has never logged in to that system?
| This scenario is possible with on-call support in
| a large environment.
No. You can only cache when you have already seen.
But I would think that a stolen laptop with a /etc/shadow
file containing every domain user password would be
a worse case. But that is of course not my decision.
cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIEINuIR7qMdg1EfYRAssyAJ0Y0B3JNQbzOeaX/Bcya0fWntV+KACgmJ2v
FYG0LOt2HXQ7JIV4NqGHnCA=
=AS8y
-----END PGP SIGNATURE-----
More information about the Likewise-open-discuss
mailing list