Re: [NTISP] Moving from the NT SAM

Dale E. Reed Jr. ( (no email) )
Sun, 07 Mar 1999 19:51:31 -0800

Richard Fink wrote:
>
> >You can use many of the normal utilities to extract the usernames
> >from the NT SAM. Then you can import all of those into a RadiusNT
> >database with WINNT as the password and the password replace option.
> >
> >Eventually you can get a full userlist in the database without
> >causing any disruption of your service (or your users ever knowing).
>
> How does that work Dale ? Getting the Userlist is no problem. But the NT Passwords are. What does RadiusNT do here ? Does it just take the "given" password from the user and then "make that" the Radius password ?
>
> Probably not a problem, but it seems like a non-customer user could get one free chance to get in, in that case, thereby also mucking the real users real password.
>
> I'll bet you've got it figured out better than that... I'd like to understand it though.

Yes, it definately works better than that. :)

The first authentication, RadiusNT sees the user's paassword as "WINNT"
and then compares thier password against the NT SAM. If the comparison
is correct and password replace is on, it will replace the "WIINT" with
the user's password they typed in the first place. All authentications
after that come from the database, and the NT SAM user entry is no loner
used or needed.

-- 

Dale E. Reed Jr. Emerald and RadiusNT__________________________________________IEA Software, Inc. www.iea-software.com

For more information about this list, including removal,see this url: http://www.iea-software.com/maillist.html