[Date Prev][Date Next]
Re: openldap and kerberos integration
On 12/15/2010 11:47 PM, Howard Chu wrote:
Hugo Monteiro wrote:
On 12/15/2010 07:19 PM, Howard Chu wrote:
Thierry Lacoste wrote:
I noticed some differences. In particular ldappasswd updates
sambaLMPassword while kpasswd does not.
I suppose we can delete sambaLMPassword support by now, certainly no
one should be using it any more.
I'm sorry but did i understand correctly that sambaLMPassword will no
longer be updated while using the smbk5pwd overlay?
Also, i would like to know why do you state that "no one should be using
it any more". Besides Samba itself, it can (as is) used by freeradius
while using PEAP and MsCHAPv2 for wireless clients authentication.
That's interesting, especially since the KDC itself doesn't maintain
sambaLMPassword. The LANMAN hash mechanism has been obsolete for
years, it is intrinsically weak and is not a good security mechanism.
I think you're mistaken, anyway; according to RFC2759 which defines
MSCHAPv2, it uses an NT hash, not a LANMAN hash. The LANMAN hash was
used for MSCHAPv1 which is also obsolete.
Thanks for clarifying that for me, i was under the impression that
MSCHAPv2 used the LANMAN password . I should have consulted the RFC first.
fct.unl.pt:~# cat .signature
Email : email@example.com
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548