Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: AW: [suse-security] importing users
  • From: Oliver Hensel <oliver.hensel@xxxxxxx>
  • Date: Sun, 10 Dec 2000 01:11:51 +0100 (CET)
  • Message-id: <Pine.LNX.4.21.0012100100440.16532-100000@xxxxxxxxxxxxxxxxxxxxxxxxx>

Ok, I was just looking too far at a future possible concept. With 500
users, something like a "real" secure network design based on (yes
repeating here) should be within budget... (emphasis on should).

But you should look for a quick fix:
- either import the NT SAM to smbpasswd with the too someone mentioned in
this thread (but a quick search on google turned up... nothing)
- continue using your old NT PDC and authenticate against it with
security = server or domain
password server = ...
use pam_smb to authenticate "real" Linux users agains NT PDC
(but take care! there were some issues with it, see suse security


On Sun, 10 Dec 2000, OKDesign oHG Security Webmaster wrote:

> Hello,
> yes, Oliver, you remember right :-)
> > To sum it up:
> > There is no easy and secure way to migrate users and passwords from a NT
> > machine to Linux (or any other Unix for that matter).
> > Since you have to somehow get your passwords over, I'd be inclined to
> > take a better aproach (which is IMHO completely going to Kerberos or
> > better yet Secure-ID).
> This is the point where I stop understanding...
> Kerberos left, better secure-id right, I have no idea how to implement this
> when transfer user data from NT to linux.
> Okay, when following the different meanings I got the idea to set up linux
> as BDC (is this possible ?) and to get the user-data from the still-existing
> NT-PDC. But, when doing this, I only get the accounts for login to the
> domain, and not "REAL" users being able to use POP-account and linux-account
> and so on.
> Okay, it could be possible to crack the accounts with l0pht or others, but
> this is not the main problem. Maybe I did not make it clear. SO here's the
> complete position:
> The client actually has an NT machine acting as
> - file-server
> - PDC
> - getting mail from our system and distribute it to the different local
> accounts dependig on the "to:"-field (fetchmail and procmail would be the
> solution when linux would be running, but with NT this is hard to manage for
> some reasons; this is one of the main-reasons for his interest in switching
> to linux)
> - and some other small, unimportant, services
> There are actually about 500 acounts (yes, five hundred) and he only has the
> PW of about 100. The other accounts changed the PWs themselves. Some
> accounts are only loggin gin at the domain from time to time, so just taking
> temporare PWs and to force them to change it themselves would be difficult
> to handle. So he asked if it would be possible to import the user-data to
> linux.
> I'm somewhat familiar with Linux, but actually I'm just learning to cope
> with NT/2000 (doing training with the goal MCSE, but this is in the future;
> just BTW)
> So I know that I know nothing :-)) and asked here for assistance.
> The transfer of the user-accounts should be made under best possible
> security, as the normal work has to got on meanwhile and noone withing the
> domainspace should be able to get other user-data in any way.
> Does anyone have any ideas how to make this possible ?
> Thanks again for your help until now (and in advance for further assitance)
> ---
> --------------------------------------------
> Stephan M. Ott // OKDesign oHG
> Internet-Providing und Netzwerkmanagement
> smo@xxxxxxxxxxx .....
> fon. +49 961 3814139 .. fax. +49 961 3814140
> mobil 0171-8351130 ... oder ... 0171-7858064
> --------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

Oliver Hensel <oliver.hensel@xxxxxxx>

Training + Consulting
Unix - Linux - Firewalls - Security

< Previous Next >