Hi folks, finally one of our clients is interested in switching from WinDoof to Linux. But he needs some tool to import the existing users on WindowsNT to Linux in a secure manner (that means, not only importing the users, but also the passwords; but he don't know all passwords) Is there any way to do this efficiently ? Best would be, if the user-data could also be included into samba (samba should act as an login-server for his domain) Thanks in advance --- -------------------------------------------- Stephan M. Ott // OKDesign oHG Internet-Providing und Netzwerkmanagement smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 mobil 0171-8351130 ... oder ... 0171-7858064 --------------------------------------------
Hi Stephan. On Fri, 8 Dec 2000, OKDesign oHG Security Webmaster wrote:
Hi folks,
finally one of our clients is interested in switching from WinDoof to Linux. But he needs some tool to import the existing users on WindowsNT to Linux in a secure manner (that means, not only importing the users, but also the passwords; but he don't know all passwords) Is there any way to do this efficiently ?
IMHO it's not possible to import the passwords from WinNT to Linux due to the fact that they use different hashing algorithms (Linux crypt(), which is a better form of DES, WinNT uses some kind of MD5 (?)). If you can get Linux to use the same hashing algorithm (perhaps MD5 with PAM? I don't know for sure), it should be somehow possible. But I don't really know of any efficient (and really secure) method. Sure, you could crack the passwords with l0phtcrack, and import them under Linux, not what I'd call secure and/or efficient :-).
Best would be, if the user-data could also be included into samba (samba should act as an login-server for his domain)
This however should be perfectly possible, just export the SAM from NT, and import the hashes into /etc/smbpasswd, which you need anyway. But then there's no login to the Linux machine (POP3, FTP...). Greetings olli
Thanks in advance
--- -------------------------------------------- Stephan M. Ott // OKDesign oHG Internet-Providing und Netzwerkmanagement smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 mobil 0171-8351130 ... oder ... 0171-7858064 --------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
--------------------------------------
Oliver Hensel
On Fri, Dec 08, 2000 at 17:57 +0100, Oliver Hensel wrote:
On Fri, 8 Dec 2000, OKDesign oHG Security Webmaster wrote:
[ ... migrating NT users to Unix ... ]
Sure, you could crack the passwords with l0phtcrack, and import them under Linux, not what I'd call secure and/or efficient :-).
Unless it can be done by a computer automatically. As soon as human resources are no longer involved computational complexity loses some of its fear. :) Luckily brute forcing is not always a solution and even computers have their limits. :> This BTW once more reminds us of the well known fact that your passwords are only as secure as your access to the user database is ... Feeding the resulting passwords into "smbpasswd -a" should be doable by some scripting mechanism, feel free to choose one of the numerous available languages. Alternatively you could copy the code which makes the hash and crypt forms from them. Another method of migrating could be to supply arbritrary but known passwords when creating the users and immediately expiring them. This way the passwords have to be changed right away at the first login. But I don't know if this works in SMB only (or mostly) environments.
Best would be, if the user-data could also be included into samba (samba should act as an login-server for his domain)
This however should be perfectly possible, just export the SAM from NT, and import the hashes into /etc/smbpasswd, which you need anyway. But then there's no login to the Linux machine (POP3, FTP...).
Read "man 5 smb.conf" and search for "sync" and/or "password". When you feed samba with passwords (that is, provide them in the clear) it can set the "traditional" Unix password for you, too. That's BTW convenient - and easier to teach - for those users who prefer "graphical frontends" and are afraid of typing "passwd" in a terminal session. That's when they could use the means MS software provides. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Fri, 8 Dec 2000, Gerhard Sittig wrote: [snip]
Best would be, if the user-data could also be included into samba (samba should act as an login-server for his domain)
This however should be perfectly possible, just export the SAM from NT, and import the hashes into /etc/smbpasswd, which you need anyway. But then there's no login to the Linux machine (POP3, FTP...).
Read "man 5 smb.conf" and search for "sync" and/or "password". When you feed samba with passwords (that is, provide them in the clear) it can set the "traditional" Unix password for you, too. That's BTW convenient - and easier to teach - for those users who prefer "graphical frontends" and are afraid of typing "passwd" in a terminal session. That's when they could use the means MS software provides.
That will only work if your Windows stations submit their password in cleartext, for which you need to change a registry setting on Win95 (upwards of OSR2 (?)) and NT4.0 (since SP3). I wouldn't really do that.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
Greetings
olli
--
--------------------------------------
Oliver Hensel
On Sat, Dec 09, 2000 at 12:52 +0100, Oliver Hensel wrote:
On Fri, 8 Dec 2000, Gerhard Sittig wrote:
Read "man 5 smb.conf" and search for "sync" and/or "password". When you feed samba with passwords (that is, provide them in the clear) it can set the "traditional" Unix password for you, too. [ ... ]
That will only work if your Windows stations submit their password in cleartext, for which you need to change a registry setting on Win95 (upwards of OSR2 (?)) and NT4.0 (since SP3). I wouldn't really do that.
Sorry, but I don't want to follow you here. :) Don't confuse the cleartext auth (which *is* a bad idea) with the password changing dialog via "smbpasswd -r $MACHINE" -- or the Windows tools I referred to in the previous message. To clear it up, maybe I was too vague: The l0phtcrack run probably provides you (not actually _you_, Olli, but the original poster:) with a list of the users' passwords. With this info one can populate the Unix user database and the Samba hashes. That means that the users probably won't notice the change. And when they change their passwords later with the tools they are used to, they won't notice the change either. It still "feels" like talking to another Windows machine, and all the mechanisms using the Unix user database (EMail, Apache(?), FTP(for those who insist in using it), even shell sessions) are updated, too. The only ugly point in this scenario is the plain text password list, of course. But we already talked about it several times: Those with access to the crypted / hashed representation have the chance of getting the plain text version by means of brute force. And as soon as people are using POP3 over the wire (without tunneling it in SSL or ssh port forwarding) or FTP for web updates (instead of file system access -- we're talking LAN here), one can get the plain text passwords with even less effort, just by watching ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Hi To sum it up: There is no easy and secure way to migrate users and passwords from a NT machine to Linux (or any other Unix for that matter). Since you have to somehow get your passwords over, I'd be inclined to take a better aproach (which is IMHO completely going to Kerberos or better yet Secure-ID). Greetings olli On Sat, 9 Dec 2000, Gerhard Sittig wrote:
On Sat, Dec 09, 2000 at 12:52 +0100, Oliver Hensel wrote:
On Fri, 8 Dec 2000, Gerhard Sittig wrote:
Read "man 5 smb.conf" and search for "sync" and/or "password". When you feed samba with passwords (that is, provide them in the clear) it can set the "traditional" Unix password for you, too. [ ... ]
That will only work if your Windows stations submit their password in cleartext, for which you need to change a registry setting on Win95 (upwards of OSR2 (?)) and NT4.0 (since SP3). I wouldn't really do that.
Sorry, but I don't want to follow you here. :) Don't confuse the cleartext auth (which *is* a bad idea) with the password changing dialog via "smbpasswd -r $MACHINE" -- or the Windows tools I referred to in the previous message.
To clear it up, maybe I was too vague: The l0phtcrack run probably provides you (not actually _you_, Olli, but the original poster:) with a list of the users' passwords. With this info one can populate the Unix user database and the Samba hashes. That means that the users probably won't notice the change.
And when they change their passwords later with the tools they are used to, they won't notice the change either. It still "feels" like talking to another Windows machine, and all the mechanisms using the Unix user database (EMail, Apache(?), FTP(for those who insist in using it), even shell sessions) are updated, too.
The only ugly point in this scenario is the plain text password list, of course. But we already talked about it several times: Those with access to the crypted / hashed representation have the chance of getting the plain text version by means of brute force. And as soon as people are using POP3 over the wire (without tunneling it in SSL or ssh port forwarding) or FTP for web updates (instead of file system access -- we're talking LAN here), one can get the plain text passwords with even less effort, just by watching ...
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
--------------------------------------
Oliver Hensel
Hello, yes, Oliver, you remember right :-)
To sum it up: There is no easy and secure way to migrate users and passwords from a NT machine to Linux (or any other Unix for that matter). Since you have to somehow get your passwords over, I'd be inclined to take a better aproach (which is IMHO completely going to Kerberos or better yet Secure-ID).
This is the point where I stop understanding... Kerberos left, better secure-id right, I have no idea how to implement this when transfer user data from NT to linux. Okay, when following the different meanings I got the idea to set up linux as BDC (is this possible ?) and to get the user-data from the still-existing NT-PDC. But, when doing this, I only get the accounts for login to the domain, and not "REAL" users being able to use POP-account and linux-account and so on. Okay, it could be possible to crack the accounts with l0pht or others, but this is not the main problem. Maybe I did not make it clear. SO here's the complete position: The client actually has an NT machine acting as - file-server - PDC - getting mail from our system and distribute it to the different local accounts dependig on the "to:"-field (fetchmail and procmail would be the solution when linux would be running, but with NT this is hard to manage for some reasons; this is one of the main-reasons for his interest in switching to linux) - and some other small, unimportant, services There are actually about 500 acounts (yes, five hundred) and he only has the PW of about 100. The other accounts changed the PWs themselves. Some accounts are only loggin gin at the domain from time to time, so just taking temporare PWs and to force them to change it themselves would be difficult to handle. So he asked if it would be possible to import the user-data to linux. I'm somewhat familiar with Linux, but actually I'm just learning to cope with NT/2000 (doing training with the goal MCSE, but this is in the future; just BTW) So I know that I know nothing :-)) and asked here for assistance. The transfer of the user-accounts should be made under best possible security, as the normal work has to got on meanwhile and noone withing the domainspace should be able to get other user-data in any way. Does anyone have any ideas how to make this possible ? Thanks again for your help until now (and in advance for further assitance) --- -------------------------------------------- Stephan M. Ott // OKDesign oHG Internet-Providing und Netzwerkmanagement smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 mobil 0171-8351130 ... oder ... 0171-7858064 --------------------------------------------
Hi. Ok, I was just looking too far at a future possible concept. With 500 users, something like a "real" secure network design based on (yes repeating here) should be within budget... (emphasis on should). But you should look for a quick fix: - either import the NT SAM to smbpasswd with the too someone mentioned in this thread (but a quick search on google turned up... nothing) - continue using your old NT PDC and authenticate against it with security = server or domain password server = ... use pam_smb to authenticate "real" Linux users agains NT PDC (but take care! there were some issues with it, see suse security announcements) Greetings olli On Sun, 10 Dec 2000, OKDesign oHG Security Webmaster wrote:
Hello,
yes, Oliver, you remember right :-)
To sum it up: There is no easy and secure way to migrate users and passwords from a NT machine to Linux (or any other Unix for that matter). Since you have to somehow get your passwords over, I'd be inclined to take a better aproach (which is IMHO completely going to Kerberos or better yet Secure-ID).
This is the point where I stop understanding... Kerberos left, better secure-id right, I have no idea how to implement this when transfer user data from NT to linux. Okay, when following the different meanings I got the idea to set up linux as BDC (is this possible ?) and to get the user-data from the still-existing NT-PDC. But, when doing this, I only get the accounts for login to the domain, and not "REAL" users being able to use POP-account and linux-account and so on. Okay, it could be possible to crack the accounts with l0pht or others, but this is not the main problem. Maybe I did not make it clear. SO here's the complete position:
The client actually has an NT machine acting as - file-server - PDC - getting mail from our system and distribute it to the different local accounts dependig on the "to:"-field (fetchmail and procmail would be the solution when linux would be running, but with NT this is hard to manage for some reasons; this is one of the main-reasons for his interest in switching to linux) - and some other small, unimportant, services
There are actually about 500 acounts (yes, five hundred) and he only has the PW of about 100. The other accounts changed the PWs themselves. Some accounts are only loggin gin at the domain from time to time, so just taking temporare PWs and to force them to change it themselves would be difficult to handle. So he asked if it would be possible to import the user-data to linux. I'm somewhat familiar with Linux, but actually I'm just learning to cope with NT/2000 (doing training with the goal MCSE, but this is in the future; just BTW) So I know that I know nothing :-)) and asked here for assistance. The transfer of the user-accounts should be made under best possible security, as the normal work has to got on meanwhile and noone withing the domainspace should be able to get other user-data in any way. Does anyone have any ideas how to make this possible ?
Thanks again for your help until now (and in advance for further assitance)
--- -------------------------------------------- Stephan M. Ott // OKDesign oHG Internet-Providing und Netzwerkmanagement smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 mobil 0171-8351130 ... oder ... 0171-7858064 --------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
--------------------------------------
Oliver Hensel
Hi List,
Hi Stephan.
On Fri, 8 Dec 2000, OKDesign oHG Security Webmaster wrote:
Hi folks,
finally one of our clients is interested in switching from WinDoof to Linux. But he needs some tool to import the existing users on WindowsNT to Linux in a secure manner (that means, not only importing the users, but also the passwords; but he don't know all passwords) Is there any way to do this efficiently ?
IMHO it's not possible to import the passwords from WinNT to Linux due to the fact that they use different hashing algorithms (Linux crypt(), which is a better form of DES, WinNT uses some kind of MD5 (?)). If you can get Linux to use the same hashing algorithm (perhaps MD5 with PAM? I don't know for sure), it should be somehow possible. But I don't really know of any efficient (and really secure) method. Sure, you could crack the passwords with l0phtcrack, and import them under Linux, not what I'd call secure and/or efficient :-).
Best would be, if the user-data could also be included into samba (samba should act as an login-server for his domain)
This however should be perfectly possible, just export the SAM from NT, and import the hashes into /etc/smbpasswd, which you need anyway. But then there's no login to the Linux machine (POP3, FTP...).
Greetings olli
Thanks in advance
I found some time ago a little c-source, which imports the 'an NT SAM database into a Samba smbpasswd file'. Don't know where i found it, neither that it works .... Just have a look at it ... Bye Theodor Masche
On Fri, 8 Dec 2000, Oliver Hensel wrote:
Best would be, if the user-data could also be included into samba (samba should act as an login-server for his domain)
This however should be perfectly possible, just export the SAM from NT, and import the hashes into /etc/smbpasswd, which you need anyway. But then there's no login to the Linux machine (POP3, FTP...).
For that you can use PAM-SMB which authenticates unix users against a NT-PDC and samba. You will have to twiddle your PAM settings if you have mixed userbases I guess. Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
Hi On Sat, 9 Dec 2000, Robert Casties wrote:
On Fri, 8 Dec 2000, Oliver Hensel wrote:
Best would be, if the user-data could also be included into samba (samba should act as an login-server for his domain)
This however should be perfectly possible, just export the SAM from NT, and import the hashes into /etc/smbpasswd, which you need anyway. But then there's no login to the Linux machine (POP3, FTP...).
For that you can use PAM-SMB which authenticates unix users against a NT-PDC and samba. You will have to twiddle your PAM settings if you have mixed userbases I guess.
But then you have to keep the NT-PDC, which is not what the original user wanted, if I remember right.
Robert
Greetings
olli
--
--------------------------------------
Oliver Hensel
On Sat, Dec 09, 2000 at 23:22 +0100, Oliver Hensel wrote:
On Sat, 9 Dec 2000, Robert Casties wrote:
For that you can use PAM-SMB which authenticates unix users against a NT-PDC and samba. You will have to twiddle your PAM settings if you have mixed userbases I guess.
But then you have to keep the NT-PDC, which is not what the original user wanted, if I remember right.
You can setup Samba as a PDC as well. Been there, done that. Did it with 2.0.7. Although there are some culprits (It doesn't cope with a BDC, no matter if it's NT or Samba. And accessing it from Win2K has some problems IIRC, since MS changes RPC calls with every version and between the graphical and the textmode frontends.) But 2.2.0alpha was just released, maybe this aspect got improved, too? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Sun, 10 Dec 2000, Gerhard Sittig wrote:
On Sat, Dec 09, 2000 at 23:22 +0100, Oliver Hensel wrote:
On Sat, 9 Dec 2000, Robert Casties wrote:
For that you can use PAM-SMB which authenticates unix users against a NT-PDC and samba. You will have to twiddle your PAM settings if you have mixed userbases I guess.
But then you have to keep the NT-PDC, which is not what the original user wanted, if I remember right.
You can setup Samba as a PDC as well. Been there, done that. Did it with 2.0.7. Although there are some culprits (It doesn't cope with a BDC, no matter if it's NT or Samba. And accessing it from Win2K has some problems IIRC, since MS changes RPC calls with every version and between the graphical and the textmode frontends.) But 2.2.0alpha was just released, maybe this aspect got improved, too?
Yes you can do that, but then there still remains the problem how to migrate the users and passwords from the NT PDC to the Samba server (especially since you cannot setup Samba to act as BDC to synchronize with the PDC, as you correctly mention). So we're back at the original question: how to migrate from NT-PDC to Samba-PDC (or standalone) with the existing users and passwords (and that automatically, secure and without too much hassle). I have not yet seen a really good suggestion, sorry.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
Greetings
olli
--
--------------------------------------
Oliver Hensel
participants (5)
-
Gerhard Sittig -
OKDesign oHG Security Webmaster -
Oliver Hensel -
Robert Casties -
Theodor Masche