[Likewise-open-discuss] Getting AD password hashes

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Carl Johnson wrote:
>> No.  You can only cache when you have already seen.
>> But I would think that a stolen laptop with a /etc/shadow
>> file containing every domain user password would be
>> a worse case.  But that is of course not my decision.
> 
> Every hashed domain user password you mean.

Hashes can be cracked.  So no guarantees here.

> But as I already mentioned, I am referring to 
> servers, not laptops.

Sure.  But still you have to secure all the servers to ensure
the security of the passwords.  Rather than ensuring the
security solely of the DCs.  And since the ratio of server
vs. DC is generally much higher, it's just a bit more work.
Since these are servers and not portable devices then
I would enable cached credential support in Likewise Open
to strengthen my position on this.

But this is really getting into a more philosiphical area
rather than the original technical question.  So perhaps it
is better to just call end-of-line.

The technical summary is that pam_lwidentity validates the
password using the domain controllers and and is not intended
to help capture passwords.  You could have a migration pam
module in the uath stack that wrote out the correct password
after the user had been authenticated by Likewise but such a
PAM module is left as an "exercise for the reader" (TM).

Hope this helps.



cheers, jerry
- --
=====================================================================
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIEJ2TIR7qMdg1EfYRAlRIAJ9QlPLZMlcDg7ZHpXOGFMzsQK9CrgCgzW81
wdlAJ/2VnB+KkSmw9Wopzmc=
=iC0M
-----END PGP SIGNATURE-----