Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] importing users
  • From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
  • Date: Fri, 8 Dec 2000 22:10:15 +0100
  • Message-id: <20001208221015.A27042@xxxxxxxxxxxxx>
On Fri, Dec 08, 2000 at 17:57 +0100, Oliver Hensel wrote:
>
> On Fri, 8 Dec 2000, OKDesign oHG Security Webmaster wrote:
>
> > [ ... migrating NT users to Unix ... ]
>
> Sure, you could crack the passwords with l0phtcrack, and import
> them under Linux, not what I'd call secure and/or efficient :-).

Unless it can be done by a computer automatically. As soon as
human resources are no longer involved computational complexity
loses some of its fear. :) Luckily brute forcing is not always a
solution and even computers have their limits. :> This BTW once
more reminds us of the well known fact that your passwords are
only as secure as your access to the user database is ...

Feeding the resulting passwords into "smbpasswd -a" should be
doable by some scripting mechanism, feel free to choose one of
the numerous available languages. Alternatively you could copy
the code which makes the hash and crypt forms from them.

Another method of migrating could be to supply arbritrary but
known passwords when creating the users and immediately expiring
them. This way the passwords have to be changed right away at
the first login. But I don't know if this works in SMB only (or
mostly) environments.

> > Best would be, if the user-data could also be included into
> > samba (samba should act as an login-server for his domain)
>
> This however should be perfectly possible, just export the SAM
> from NT, and import the hashes into /etc/smbpasswd, which you
> need anyway. But then there's no login to the Linux machine
> (POP3, FTP...).

Read "man 5 smb.conf" and search for "sync" and/or "password".
When you feed samba with passwords (that is, provide them in the
clear) it can set the "traditional" Unix password for you, too.
That's BTW convenient - and easier to teach - for those users who
prefer "graphical frontends" and are afraid of typing "passwd" in
a terminal session. That's when they could use the means MS
software provides.


virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

< Previous Next >
Follow Ups