PAP and NT-hashed password

sb superabx at gmail.com
Tue Dec 30 16:58:13 CET 2014


On Tue, Dec 30, 2014 at 5:44 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Dec 30, 2014, at 10:28 AM, sb <superabx at gmail.com> wrote:
> > Yes, but how to prevent it? I have nothing about User-Password in
> freeradius configs:
>
>   Try version 2.2.6.  The PAP module has been updated to do a better job
> of discovering which password is where.
>


Thank you, Alan! I will try to upgrade to 2.2.6.


>
>   And you probably want to double-check the *format* of the passwords.
> You seem to have put the hashed version of the password into the
> userPassword field.  Then, taken that, turned it into hex, and put that
> into the ntPassword field in LDAP.  That’s wrong.
>

Actually we have no userPassword field in LDAP, the string

checkitem    Password-With-Header        userPassword

should be there from default config. I've commented it out, but got the
same.
All that we have in LDAP:

sambaLMPassword: B4****************************************C6
sambaNTPassword: 1D****************************************9B

mapped to:

checkItem    LM-Password            sambaLmPassword
checkItem    NT-Password            sambaNtPassword



>
>   The userPassword field in LDAP should contain the clear-text password.
> e.g. “hello”, or “password”.  The ntPassword field in LDAP should contain
> the hex version of NT hashed password.  e.g. 01abcdef…  OR, the
> userPassword field in LDAP should contain "{nt}01abcdef…”  The {nt} prefix
> says that the rest of the password is the NT hash.
>

Possible I have to add {nt} prefix before the password?

"checkItem    User-Password            {nt}sambaNtPassword" - that won't
work?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141230/f9f4766c/attachment.html>


More information about the Freeradius-Users mailing list