NTLM LDAP synchronization

[Matthew Carpenter]

Aaron Grewell wrote:

>If you can get away with it, port the users off the NT4 server using
>Samba's RPC vampire capability. If the NT4 server can be a member
>server of a Samba domain rather than being the DC then it'll get its
>users from Samba, which can be backended to LDAP. It'd be a bit of work
>to set it up, but would remove the need for synchronization altogether.
>
This would be my suggestion.
NT and Unix store passwords in different ways.  9 months of precomputing 
and 118GB drive space and you too can have Rainbow crack tables to crack 
NT passwords in 3 minutes, but that still does not provide a decent 
near-term solution.

DirXML is a *great* product for this, but I understand the budgetary 
concerns.
DirXML can do AD password synching, but they load a DLL on the AD domain 
controller, which triggers an event each time the AD password is 
changed, which intercepts the unencrypted password and pumps it into 
NetWare/OES.  Likewise, prior to applying eDirectory changes, the 
unencrypted password is used to create the NTLM/LANMAN hash which is 
pushed into AD by that DLL on the domain controller.  We have been using 
DirXML for some time to sync several directories, and were going to use 
it to keep AD and eDir in sync, but the AD MCSE dudes are too freaked 
about loading any 3rd-party DLLs on their DCs.  I do believe they are 
rather nervous about so much importance being placed on something made 
of Glass.

Short of coding something of your own to snag passwords from the NT 
server before they are encrypted, creating a SAMBA domain using an LDAP 
backend makes a lot of sense. 

-- 
Matthew Carpenter
matt at eisgr.com                          http://www.eisgr.com/

Enterprise Information Systems
* Network Server Appliances
* Security Consulting, Incident Handling & Forensics
* Network Consulting, Integration & Support
* Web Integration and E-Business