OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] importing users
From: Nix (susenix.hispeed.com)
Date: Mon Dec 11 2000 - 04:45:22 CST

http://au1.samba.org/samba/ftp/pwdump/

http://au1.samba.org/samba/docs/man/smb.conf.5.html#unixpasswordsync

unix password sync (G)
This boolean parameter controls whether Samba attempts to synchronize the
UNIX password with the SMB password when the encrypted SMB password in the
smbpasswd file is changed. If this is set to true the program specified in
the "passwd program" parameter is called *AS ROOT* - to allow the new UNIX
password to be set without access to the old UNIX password (as the SMB
password has change code has no access to the old password cleartext, only
the new). By default this is set to "false".
See also "passwd program", "passwd chat".
Default: unix password sync = False
Example: unix password sync = True

If you do a little more reading (I'm not going to do all your work for you)
or ask on the correct mailing list (ie samba) you will have no trouble
setting up Samba to do pass-through authentication to an NT server
for a period of time. Everytime someone logs onto the domain, and
a local account doesn't exist on the unix server, samba will automatically
add it for you.

Cheers

-Nix

At 05:57 PM 8/12/2000 +0100, you wrote:
>Hi Stephan.
>
>On Fri, 8 Dec 2000, OKDesign oHG Security Webmaster wrote:
>
> > Hi folks,
> >
> > finally one of our clients is interested in switching from WinDoof to
> Linux.
> > But he needs some tool to import the existing users on WindowsNT to
> Linux in
> > a secure manner (that means, not only importing the users, but also the
> > passwords; but he don't know all passwords)
> > Is there any way to do this efficiently ?
>
>IMHO it's not possible to import the passwords from WinNT to Linux due to
>the fact that they use different hashing algorithms (Linux crypt(), which
>is a better form of DES, WinNT uses some kind of MD5 (?)). If you can get
>Linux to use the same hashing algorithm (perhaps MD5 with PAM? I don't
>know for sure), it should be somehow possible. But I don't really know of
>any efficient (and really secure) method.
>Sure, you could crack the passwords with l0phtcrack, and import them under
>Linux, not what I'd call secure and/or efficient :-).
>
> > Best would be, if the user-data could also be included into samba (samba
> > should act as an login-server for his domain)
>
>This however should be perfectly possible, just export the SAM from NT,
>and import the hashes into /etc/smbpasswd, which you need anyway. But then
>there's no login to the Linux machine (POP3, FTP...).
>
>Greetings
>olli
>
> >
> > Thanks in advance
> >
> > ---
> > --------------------------------------------
> > Stephan M. Ott // OKDesign oHG
> > Internet-Providing und Netzwerkmanagement
> > smookdesign.de ..... http://www.okdesign.de
> > fon. +49 961 3814139 .. fax. +49 961 3814140
> > mobil 0171-8351130 ... oder ... 0171-7858064
> > --------------------------------------------
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: suse-security-unsubscribesuse.com
> > For additional commands, e-mail: suse-security-helpsuse.com
> >
> >
> >
> >
>
>--
>--------------------------------------
>Oliver Hensel <oliver.henselgmx.net>
> <ohenselsecurity-academy.de>
> http://www.ohensel.de/
>
> Training + Consulting
> Unix - Linux - Firewalls - Security
>--------------------------------------
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: suse-security-unsubscribesuse.com
>For additional commands, e-mail: suse-security-helpsuse.com

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com