On Mon, Jul 18, 2011 at 11:05 AM, Jordan Brown <jordan.br...@oracle.com> wrote:
> The *implementation* reason for it is twofold:  First, workgroup-mode
> authentication is based on NT hashed passwords.  A UNIX system doesn't store
> the clear text of your password, only a UNIX-style one-way hash of the
> password, and so cannot generate an NT hashed password to do its side of the
> authentication.  The only way to do that authentication is to get the
> cleartext password, do an NT-style hash on it, and store that NT-style
> hashed password.  You can't take an existing UNIX system, slap an SMB server
> on it, and have authentication just work; the UNIX system simply doesn't
> have the information that it needs.  Second, there needs to be some user

To be fair we had the same problem with Kerberos.  The way this is
solved is to create the necessary information.  For Kerberos one way
to do that is to use the pam_krb5_migrate(5) module.  You could
implement the same solution for a NIS or RFC2307bis+ based

> interface by which the password gets entered by the user, turned into an NT
> hash, and stored.  The implementation chosen is to interpose on the normal
> UNIX password-set function... which is, by and large, only usable on
> locally-defined users.  That's arguably a gap that should be corrected:

Nah, just interpose on normal login :)

> there should be a way to explicitly store the NT-style hash for a user who
> exists in LDAP or NIS.  Adding such a thing would allow you to set up
> LDAP-based or NIS-based users for SMB access.  However, you'd still have to
> more-or-less manually maintain those NT-hash passwords locally, because your
> LDAP and NIS servers don't store them.

That would have to get fixed, but it's not *that* hard.

> BTW, Windows systems don't use LDAP for authentication.  With Active
> Directory, they use Kerberos.  You could, in theory, set up Kerberos, LDAP,


> and related systems to simulate enough of Active Directory that a client
> would try to authenticate using Kerberos, but at that point, well, you've
> implemented Active Directory and you no longer have a "workgroup"
> environment.

Right.  (It's LDAP + Kerberos + DNS + various MSRPCs.)

> Does that help to clarify the situation?  As best I can tell, it's partly a
> questionable limitation (no way to manage NT-hash passwords for non-local
> users) and partially a limitation imposed by the mismatch between the two
> authentication systems (UNIX-hash-based and NT-hash-based).

One could argue that it's a shortcoming of Solaris.  The question is:
does Oracle (or the Illumos community) care to address this?  I don't
see why they should.

cifs-discuss mailing list

Reply via email to