Validating plaintext passwords against Samba 4
Hi, There are several documents about how to authenticate MSCHAP requests against Samba 4 / AD. My question is, what's the preferred way to authenticate requests which contain plaintext passwords, i.e. PAP, against S4/AD? rlm_mschap has hooks to talk to ntlm_auth or winbind, but rlm_pap doesn't. It seems to me I could: * use rlm_ldap, and do a bind using the user supplied password * use rlm_krb5 (i.e. kerberos as a password oracle) Is there another/better way? Thanks, Brian.
On Jan 5, 2017, at 12:28 PM, Brian Candler <b.candler@pobox.com> wrote:
My question is, what's the preferred way to authenticate requests which contain plaintext passwords, i.e. PAP, against S4/AD? rlm_mschap has hooks to talk to ntlm_auth or winbind, but rlm_pap doesn't.
It seems to me I could:
* use rlm_ldap, and do a bind using the user supplied password
* use rlm_krb5 (i.e. kerberos as a password oracle)
Either way is fine.
Is there another/better way?
Personally, I'd probably use LDAP. Alan DeKok.
On Thu, Jan 05, 2017 at 12:30:14PM -0500, Alan DeKok wrote:
On Jan 5, 2017, at 12:28 PM, Brian Candler <b.candler@pobox.com> wrote:
* use rlm_ldap, and do a bind using the user supplied password
* use rlm_krb5 (i.e. kerberos as a password oracle)
Either way is fine.
Is there another/better way?
Personally, I'd probably use LDAP.
Agreed. ntlm_auth will do PAP as well if you really must (mods-available/ntlm_auth). rlm_winbind in v3.1.x/v4.0.x if you dare. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Brian Candler -
Matthew Newton