Apologies to the original poster for Rob & I chopping this all up... On Fri, May 30, 2008 at 4:37 PM, Rob Shinn <[EMAIL PROTECTED]> wrote:
> On Fri, May 30, 2008 at 3:12 PM, Charlie <[EMAIL PROTECTED]> wrote: >> >> When I converted our networks to samba a decade or more ago, I started >> out by trying to crack all our user passwords by brute force, but I >> could only get about 90% of them in any reasonable time frame. So, > > Wow. *Only* 90%. Did the security admin have a cow? Perhaps your password > policies were too lax? Nowadays I could probably do better. There's more compute power available, and rainbow tables are easy script-kiddy stuff these days. But yes, I did have a cow, and yes, our password policies were (but no longer are) certainly much too lax. >> instead, we modified our password changing process to produce the NT >> and LM hashes as well as the MD5 hashes and made all our users >> passwords expire over the course of the next two weeks. > > Maybe it should be mentioned that this can be accomplished with the 'unix > password sync = yes' if you are using pam_ldap on your Samba server. AFAIK, that will only work *after* you've gotten synchronized to start with. If you haven't any NT hashes, just MD5 hashes like the original poster, your users can't log into samba since samba can't supply an NT hash to the client PC with CHAP or whatever. Samba makes it easy to maintain sync even though it's hard to establish sync initially. Oh, and "ldap password sync = yes" is probably more efficient - keeps the name service switch and PAM out of the picture - but I think you should watch out to make sure your LDAP transport is using the encryption you want it to, or you might get plaintext or SHA hashes in userPassword instead of salted MD5s. --Charlie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
