Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Phil Mayers
p.mayers at imperial.ac.uk
Sat Jan 28 13:18:41 CET 2006
> Yes. And once Samba4 is a full-fledged member of an AD domain, the
> other AD servers will happily replicate data to it... including the
> clear-text password. Samba4 can then expose it in the userPassword field.
Ah, so samba4 as a PDC rather than member server, peering with microsoft
PDCs. That is an option I had not considered, and is certainly an
interesting possibility, though still dependent on the per-account or
whole-domain setting and a password change.
>
> The reason IAS works is that it does super-secret magic Microsoft
> calls that no one has figured out. If Samba4 is a member of the AD
> domain, it doesn't have to figure out those calls.
Indeed.
More information about the Freeradius-Users
mailing list