Crazy ideas about Kerberos, NTLM and PACs... (was NTLMSSP...)

Andrew Bartlett abartlet at
Mon Nov 19 03:51:03 GMT 2001

Jean Francois Micouleau wrote:
> On Mon, 19 Nov 2001, Andrew Bartlett wrote:
> > Why should samba have to have a 'root password' to the LDAP server to
> > function in an LDAP environment?
> how do you get the user's hashes to make the reply to a sessionsetup&X
> otherwise ?
> and samba doesn't need the root password, it just needs an account that
> can read other user's hashes.
>         J.F.

Easy, you get sombody else to make up the challange and check the
response.  This is how 'security=server' (soon to be auth order = ...
smbserver ...) works.

OR you make up the challange yourself and use a trust account of some
kind to show both it and the password to the server for a yea/nea. 
(like security=domain, soon to be auth order = ... ntdomain... ).

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list