Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] importing users
  • From: Oliver Hensel <oliver.hensel@xxxxxxx>
  • Date: Sat, 9 Dec 2000 23:26:58 +0100 (CET)
  • Message-id: <Pine.LNX.4.21.0012092322160.16532-100000@xxxxxxxxxxxxxxxxxxxxxxxxx>

To sum it up:
There is no easy and secure way to migrate users and passwords from a NT
machine to Linux (or any other Unix for that matter).
Since you have to somehow get your passwords over, I'd be inclined to
take a better aproach (which is IMHO completely going to Kerberos or
better yet Secure-ID).


On Sat, 9 Dec 2000, Gerhard Sittig wrote:

> On Sat, Dec 09, 2000 at 12:52 +0100, Oliver Hensel wrote:
> > On Fri, 8 Dec 2000, Gerhard Sittig wrote:
> > >
> > > Read "man 5 smb.conf" and search for "sync" and/or
> > > "password". When you feed samba with passwords (that is,
> > > provide them in the clear) it can set the "traditional" Unix
> > > password for you, too. [ ... ]
> >
> > That will only work if your Windows stations submit their
> > password in cleartext, for which you need to change a registry
> > setting on Win95 (upwards of OSR2 (?)) and NT4.0 (since SP3). I
> > wouldn't really do that.
> Sorry, but I don't want to follow you here. :) Don't confuse the
> cleartext auth (which *is* a bad idea) with the password changing
> dialog via "smbpasswd -r $MACHINE" -- or the Windows tools I
> referred to in the previous message.
> To clear it up, maybe I was too vague: The l0phtcrack run
> probably provides you (not actually _you_, Olli, but the original
> poster:) with a list of the users' passwords. With this info one
> can populate the Unix user database and the Samba hashes. That
> means that the users probably won't notice the change.
> And when they change their passwords later with the tools they
> are used to, they won't notice the change either. It still
> "feels" like talking to another Windows machine, and all the
> mechanisms using the Unix user database (EMail, Apache(?),
> FTP(for those who insist in using it), even shell sessions) are
> updated, too.
> The only ugly point in this scenario is the plain text password
> list, of course. But we already talked about it several times:
> Those with access to the crypted / hashed representation have the
> chance of getting the plain text version by means of brute force.
> And as soon as people are using POP3 over the wire (without
> tunneling it in SSL or ssh port forwarding) or FTP for web
> updates (instead of file system access -- we're talking LAN
> here), one can get the plain text passwords with even less
> effort, just by watching ...
> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
> Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx

Oliver Hensel <oliver.hensel@xxxxxxx>

Training + Consulting
Unix - Linux - Firewalls - Security

< Previous Next >