OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Buchan Milne (bgmilnecae.co.za)
Date: Tue Dec 18 2001 - 03:38:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Tzafrir Cohen wrote:

    > On 12 Dec 2001, Bill Kenworthy wrote:
    >
    >
    >>I like this one - setup MySQL etc to go through the normal system
    >>pam/password setup. This fixes the problem for newbies AND in most
    >>cases for the experianced as well with no effort on their part. For
    >>what I think is actually a relatively small group who "wanna do their
    >>own thing", that would still be available to them as they would normally
    >>be "getting in there" and changing things anyway. Another benefit is
    >>only one password system to administer - go for it. And Samba would
    >>benefit from a default set up like this as well, if it is not the
    >>default.
    >>
    >>I know Samba can be set up this way, but can MySQL?
    >>
    >
    > Samba can be tweaked to work this way.
    >

    Samba now actually ships with encrypted passwords set by default in the
    Mandrake RPMs. Windows encrypts (well, one-way-hashes) the password on
    the wire (whereas unix typically has the password in the clear, unless
    using symmetric encryption like ssl or ssh), so there is no way to use
    samba/windows encrypted passwords and authenticate from anything which
    does not store encrypted samba passwords (thus either samba's smbpasswd
    file or a windows domain controller). In all serious implementations of
    samba, encryption is required (specifically when using windows NT 4 or
    later in a domain), and in home use, you would have to reg hack all the
    machines anyway.

    To join a windows 2k or later machine to a samba domain, root has to
    have an (encrypted) smbpasswd.

    We actually do all our password authentication off samba, using windows
    natively for the desktops, or pam_smb for pam enabled services on the
    linux desktops/servers, and smb_auth for our proxy. The next step is to
    get samba storing it's passwords in LDAP rather than the smbpasswd file,
    which will be available in 2.2.3 and 3.0.0, both of which are nearing
    completion.

    Buchan 

    -- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work       +27 82 472 2231 * +27 21 808 2497 ext 202
Stellenbosch Automotive Engineering         http://www.cae.co.za

    For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
message to discuss-unsubscribemandrakesecure.net.  To visit MandrakeSecure,
go to http://www.mandrakesecure.net/.