Authenticating CHAP-Password to Pam (Kerberos 5 to AD)

[Phil Mayers]

Alan DeKok wrote:
> Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> I'm confused - I and many people are doing MS-CHAP to an AD domain with 
>> samba3, winbind and the ntlm_auth helper - what are you referring to 
>> that doesn't work that samba4 would change?
> 
>   Yes, they're using the old-style NT4 logins.  So MS-CHAP works.

Ah I see. I had read the message differently - though the posters 
original question (and the subject line unhelpfully) was about CHAP his 
subsequent query referenced another thread and mentioned MS-CHAP.

You're right that no current software can perform CHAP against AD except 
IAS running on a domain controller against accounts with reversible 
encryption enabled (see below).

> 
>   Samba4 *may* allow pulling clear-text passwords from AD, in which
> case CHAP will work, too.

Why would samba4 be any different that samba3 in that regard? I assume 
we are talking about the same thing (samba as a member server with a 
"real" microsoft PDC) in which case the code that would need adding 
would be an API on the windows side - AD realms (in fact NT domains all 
the way back to NT4 IIRC) can already store the password in "reversibly 
encrypted" plaintext to support CHAP (only via IAS and only running on 
the physical PDC) or Digest MD5 on HTTP.