Re: [Micronet] ADmitMac Educational Pricing / pam_ldap

Mark,

We were not aware of your problem. In the future, you should contact your OU administrator. Part of CalNetAD being a free service is that OU administrators provide first level support. OU administrators can open trouble tickets 24/7 by calling 642-4920 or e-mailing trouble@socrates.berkeley.edu.

As to your question about testing, some history first. Vulnerabilities were found in NTLMv1 around 10 years ago and fixed in NTLMv2 when NT4 SP4 was released. At the direction of the planning committee, CalNetAD has never supported NTLMv1. An exception was made for a pre-production adopter that needed support for SQL 7. The domain controllers were configured to allow NTLM, but the domain GPO was configured to only support NTLMv2. The theory being that workstations and file servers in the forest would then use NTLMv2.

We first tried to eliminate NTLMv1 on July 22, 2002, but a number of administrators had changed their own GPO's to allow NTLMv1. Administrators had started connecting Macs to the forest. The Macs were insecure and wouldn't support NTLMv2 or Kerberos. Apple claimed to have made some fixes with Jaguar, so we again tried blocking NTLMv1 in March. Apple finally fixed their problems with the release of Panther. During this process the OU admins were continually notified. Objections were not raised and we were told that tests against our test forest were successful, so we implemented the change.

What we are finding now is that administrators were syncing CalNet passphrases with CalNetAD shadow passwords, insecurely sending CalNet passphrases across the network. Backing out changes and allowing transmission of insecure passphrases is not an option.

Native Panther user should instead connect to shares via Kerberos and cifs. We are currently working on documentation to explain this process.

Units will have to evaluate their internal policies to determine why after two years of notice, warnings against using NTLMv1, and a freely available test environment, administrators were not prepared for Monday's NTLMv1 abatement.

Eric Chamberlain, CISSP

-----Original Message-----
    From: "Mark Ingles"<mingles@berkeley.edu>
    Sent: 5/26/04 5:12:21 PM
    To: "eric@berkeley.edu"<eric@berkeley.edu>
    Cc: "luken Nucum"<luken@socrates.Berkeley.EDU>, "micronet-list@calmail.berkeley.edumicronet-list@calmail.berkeley.edu"<micronet-list@calmail.berkeley.edumicronet-list@calmail.berkeley.edu>, "MAGNet-UCB Macintosh support user group"<magnet-list@lists.berkeley.edu>, "Nory Ison"<nory@berkeley.edu>, "Daniel Bass"<dbass@socrates.berkeley.edu>
    Subject: Re: [Micronet] ADmitMac Educational Pricing / pam_ldap
    
    Hi Eric,
    
    Are the Active Directory folks aware that OS X users can no longer
    access Windows servers bound to the campus AD? This problem affects
    10.3.3 and 10.2.8 users. We get the error message:
    
    "Invalid name or password - You have entered an invalid user name or
    password. Please try again."
    
    Why wasn't the NTLMv2 upgrade tested to avoid this before it was
    implemented. Is there a solution in the works?
    
    Thank you,
    
    Mark Ingles
    DOCS/WSS
    643-3107
    
    
    
    
    On May 26, 2004, at 2:02 PM, Eric Chamberlain, CISSP wrote:
    
>> -----Original Message-----
>> From: owner-micronet-list@listlink.berkeley.edu
>> [mailto:owner-micronet-list@listlink.berkeley.edu] On Behalf
>> Of Ross S. Dmochowski
>> Sent: Wednesday, May 26, 2004 1:36 PM
>> To: micronet-list@calmail.berkeley.edu
>> Cc: bits-forum@calmail.berkeley.edu
>> Subject: [Micronet] ADmitMac Educational Pricing / pam_ldap
>>
>> http://www.thursby.com/products/admitmac-edu-pricing.html
>>
>> At $80 a seat, I don't know what kind of academics they think
>> they are pricing for...
>>
>> Bob, has UC ever purchased this before?
>> I looked through some old email, as I thought I remember
>> someone else asking about this awhile back.
>>
>> This really shores up the deficiencies (like lack of NTLMv2
>> support) in OS X offerings for LDAPS auth.
>>
>> Is anyone else using this, or just using the ActiveDirectory
>> aware components of OS X?
>>
>> anyone else using pam_ldap to authenticate against Active
>> Directory? :-)
>>
>
> For interoperability with campus services, Kerberos authentication
> should
> really be encouraged over LDAP. LDAP is not an authentication
> protocol and
> has a number of limitations. The most important being that unless it
> is
> properly configured to use SSL, it will send the password in cleartext.
>
> --
> Eric Chamberlain, CISSP
> Campus Active Directory Architect
> Central Computing Services
> University of California, Berkeley
> http://calnetad.berkeley.edu
>
>
>
>
> --

[Message truncated. Tap Edit->Mark for Download to get remaining portion.]

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Tue Jun 1 14:12:49 2004