Crazy ideas about Kerberos, NTLM and PACs... (was NTLMSSP...)
Andrew Bartlett
abartlet at pcug.org.au
Mon Nov 19 03:51:03 GMT 2001
Jean Francois Micouleau wrote:
>
> On Mon, 19 Nov 2001, Andrew Bartlett wrote:
>
> > Why should samba have to have a 'root password' to the LDAP server to
> > function in an LDAP environment?
>
> how do you get the user's hashes to make the reply to a sessionsetup&X
> otherwise ?
>
> and samba doesn't need the root password, it just needs an account that
> can read other user's hashes.
>
> J.F.
Easy, you get sombody else to make up the challange and check the
response. This is how 'security=server' (soon to be auth order = ...
smbserver ...) works.
OR you make up the challange yourself and use a trust account of some
kind to show both it and the password to the server for a yea/nea.
(like security=domain, soon to be auth order = ... ntdomain... ).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list