[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and kerberos integration

Hugo Monteiro wrote:
On 12/15/2010 07:19 PM, Howard Chu wrote:
Thierry Lacoste wrote:
I noticed some differences. In particular ldappasswd updates
sambaLMPassword while kpasswd does not.

I suppose we can delete sambaLMPassword support by now, certainly no
one should be using it any more.

I'm sorry but did i understand correctly that sambaLMPassword will no
longer be updated while using the smbk5pwd overlay?
Also, i would like to know why do you state that "no one should be using
it any more". Besides Samba itself, it can (as is) used by freeradius
while using PEAP and MsCHAPv2 for wireless clients authentication.

That's interesting, especially since the KDC itself doesn't maintain sambaLMPassword. The LANMAN hash mechanism has been obsolete for years, it is intrinsically weak and is not a good security mechanism.

I think you're mistaken, anyway; according to RFC2759 which defines MSCHAPv2, it uses an NT hash, not a LANMAN hash. The LANMAN hash was used for MSCHAPv1 which is also obsolete.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/