Alan DeKok wrote:
Phil Mayers <[EMAIL PROTECTED]> wrote:
Download Samba, ensuring it is 3.0.21rc1 or later which includes the
patch Alan talks about. Compile and install samba. Read the samba
documentation. Configure your Samba server. Ensure winbindd and nmbd are
running. Join the AD domain. Ensure samba is working ("wbinfo -D
DOMAIN", "wbinfo -a username%pass" are good basic tests)
Install FreeRadius, make sure it is 1.1.0 which will strip the machine
name "host/name.domain.com" to "name". Make the following changes to the
default config:
Isn't that a whole heck of a lot of work?
Indeed
I took a look at the packet traces going to the domain controller.
It turns out that about 4 packets are necessary. There's a libntlm
that does the NTLM oddities, so all that needs to happen is for
someone to write a minimal SMB client.
Isn't libntlm client-side NTLM?
As far as I know, to execute the required RPCs you need a machine
account and thus at minimum must have a local secret store and support
for the RPCs to join a domain (can be in a binary helper app), change
the machine password (ditto executed from cron) and execute the basic
netlogon stuff. Sadly, Microsoft being Microsoft, there's a surprisingly
large amount to do for this to work reliably. With latter versions of
windows, 2k3 in particular, the amount of support required for even
basic netlogon RPCs is large, as they've upped the security ante.
rlm_smb seems to be just for validating plaintext passwords. With the
older MS-CHAPv1 you could do something to just proxy the challenge and
response to any SMB server, but that server (and the supporting domain)
would have to have a lot of options that are turned off by default for
security reasons these days. NTLMv2 and MS-CHAPv2 were designed as you
know to eliminate that MITM potential.
But I can see what you're saying and agree - it's awfully heavyweight
for basic users.
Perhaps we could invert the problem - a small, easily auditable binary
compiled for win32 that listens on a TCP port, uses some lightweight
method to secure connections (maybe SRP?) and acts as an
ultra-lightweight proxy for the required RPCs? Sites that want to can
just run it as a service on the PDC or any member server. Sites large
enough to forbid this are likely large enough to put the effort into
running Samba.
(I could actually see this being preferable to rlm_ldap for some cases
if you permit a few other RPCs on the wire)
The result would be a module like rlm_smb (which I can't make work
anymore), but that replaces ntlm_auth, winbindd, and Samba. It would
be small, fast, and a lot easier to use.
It requires time/energy to do the work, but there is demand for it
in a number of places.
Indeed. Sadly my own experience of SMB protocols leads me to believe
that anything less than Samba is likely to cause even more problems. It
at least has the advantage of lots of expertise interoperating with
years of diverse protocol options, the more modern of which can be
arcane to say the lease.
It may be worth asking the guys on the samba-technical list if they have
any suggestions.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
