On Mon, 2004-12-27 at 19:25 +0530, Gopal Krishna C J wrote: > Hi, > > > > Iâm looking for inspiration on how to get Samba (setup as a Domain > controller) > > To authenticate its users by AAA products like Safeword from securecomputing > (HYPERLINK "http://www.safeword.com/"www.safeword.com) or > > RSA SecureID â HYPERLINK "http://www.rsa.com/"www.rsa.com
Replacing passwords in an NT domain environment is a tricky problem, because unlike Active Directory, we don't have kerberos. Kerberos allows the exchange between the fob and the central server to be customised, and nobody else in the chain needs to care what's going on. Once you use passwords, and in the 'cached password' NT Domain Logon environment that we have, there is a presumption that that password does not change, after the user logs in. This is used to give the illusion of 'single sign on'. If the password does change, and a server is contacted (say a new file-server), then the user will be prompted for a password. This is fine (well, a right royal pain, but functional) *most* of the time, but we loose the auto-reconnect feature, and can loose data. (See discussion about plaintext passwords and Samba, because I think it's the same problem). However, I think it is still possible to construct a system that has the benifit of the 'fob', but with sufficient 'memory' such that once a workstation has cached a password for a login session, the password can still be used. Provided the one-time passwords are kept secret for the reasonable life of the session, this should still be a security improvement over the constant passwords, because user's can't choose them. This would require the algorithm for the generation of the one-time passwords to be public, and Samba as the server would need access to those passwords. It could then 'remember' passwords successfully used for an interactive logon request, and allow that password to be used via file-servers, proxy servers and the like for the reasonable duration of the session. BDC operation would be interesting, but I suppose possible. Yes, this is very easily spoofed, but the passwords are not clear-text on the network in the first place, so it is practical to consider them confidential. Hmm, perhaps it's just easier to finish Samba4, and use Kerberos :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
