PAP and NT-hashed password
sb
superabx at gmail.com
Tue Dec 30 16:58:13 CET 2014
On Tue, Dec 30, 2014 at 5:44 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Dec 30, 2014, at 10:28 AM, sb <superabx at gmail.com> wrote:
> > Yes, but how to prevent it? I have nothing about User-Password in
> freeradius configs:
>
> Try version 2.2.6. The PAP module has been updated to do a better job
> of discovering which password is where.
>
Thank you, Alan! I will try to upgrade to 2.2.6.
>
> And you probably want to double-check the *format* of the passwords.
> You seem to have put the hashed version of the password into the
> userPassword field. Then, taken that, turned it into hex, and put that
> into the ntPassword field in LDAP. That’s wrong.
>
Actually we have no userPassword field in LDAP, the string
checkitem Password-With-Header userPassword
should be there from default config. I've commented it out, but got the
same.
All that we have in LDAP:
sambaLMPassword: B4****************************************C6
sambaNTPassword: 1D****************************************9B
mapped to:
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
>
> The userPassword field in LDAP should contain the clear-text password.
> e.g. “hello”, or “password”. The ntPassword field in LDAP should contain
> the hex version of NT hashed password. e.g. 01abcdef… OR, the
> userPassword field in LDAP should contain "{nt}01abcdef…” The {nt} prefix
> says that the rest of the password is the NT hash.
>
Possible I have to add {nt} prefix before the password?
"checkItem User-Password {nt}sambaNtPassword" - that won't
work?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141230/f9f4766c/attachment.html>
More information about the Freeradius-Users
mailing list