Authenticating CHAP-Password to Pam (Kerberos 5 to AD)

Alan DeKok aland at ox.org
Sat Jan 28 07:02:31 CET 2006


Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> Why would samba4 be any different that samba3 in that regard?

  Because Samba4 will be a full-fledged AD domain member.  Samba3 is a
second-class citizen of an AD domain, as it implements NT domains.

> I assume we are talking about the same thing (samba as a member
> server with a "real" microsoft PDC) in which case the code that
> would need adding would be an API on the windows side - AD realms
> (in fact NT domains all the way back to NT4 IIRC) can already store
> the password in "reversibly encrypted" plaintext to support CHAP
> (only via IAS and only running on the physical PDC) or Digest MD5 on
> HTTP.

  Yes.  And once Samba4 is a full-fledged member of an AD domain, the
other AD servers will happily replicate data to it... including the
clear-text password.  Samba4 can then expose it in the userPassword field.

  The reason IAS works is that it does super-secret magic Microsoft
calls that no one has figured out.  If Samba4 is a member of the AD
domain, it doesn't have to figure out those calls.

  Alan DeKok.




More information about the Freeradius-Users mailing list