[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and kerberos integration

On 12/15/2010 11:47 PM, Howard Chu wrote:
Hugo Monteiro wrote:
On 12/15/2010 07:19 PM, Howard Chu wrote:
Thierry Lacoste wrote:
I noticed some differences. In particular ldappasswd updates
sambaLMPassword while kpasswd does not.

I suppose we can delete sambaLMPassword support by now, certainly no
one should be using it any more.

I'm sorry but did i understand correctly that sambaLMPassword will no
longer be updated while using the smbk5pwd overlay?
Also, i would like to know why do you state that "no one should be using
it any more". Besides Samba itself, it can (as is) used by freeradius
while using PEAP and MsCHAPv2 for wireless clients authentication.

That's interesting, especially since the KDC itself doesn't maintain sambaLMPassword. The LANMAN hash mechanism has been obsolete for years, it is intrinsically weak and is not a good security mechanism.

I think you're mistaken, anyway; according to RFC2759 which defines MSCHAPv2, it uses an NT hash, not a LANMAN hash. The LANMAN hash was used for MSCHAPv1 which is also obsolete.

Hello Howard,

Thanks for clarifying that for me, i was under the impression that MSCHAPv2 used the LANMAN password . I should have consulted the RFC first.

Best Regards,

Hugo Monteiro.

fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio@fct.unl.pt

fct.unl.pt:~# _