Setting the story straight on wbinfo -a

[Andrew Bartlett]

Wbinfo is a very useful testing tool for winbind.  Primarily designed as
a developers and administrators testing tool, it allows winbind to be
queried directly, rather than via PAM or glibc.

On of the testing features is 'wbinfo -a'.  This command attempts the
two forms of authenticaiton supporte by the deamon - and reports the
result.

In HEAD, the report is accompaniced the the NTSTATUS code that the
remote server returned (or the local error that occured).

The two forms of authenticiaon are:

'plaintext' and 'challange-response'.

The first is the only method that existed in winbind historically - it
takes a plaintext password and sends it over the domain socket for
encryption and transmission to the DC.

The 'plaintext' passsword never leaves the host.

The second (and newer) method is 'challange-response'.  This method
takes a pre-existing challange-response pair (often from NTLMSSP over
HTTP) and asks the remote DC to verifiy it.  There is a minor security
issue with this functionality - the ability to specify a challange could
allow a number of subtle attacks.  As such this functionality has been
withheld from release until it can be restricted to certain groups of
users (squid and apache for example).

If the first method is failing, then the second will also fail.  The
second failing has no impact on the first - it is an error that can be
ignored if the functionality isn't compiled in.   Wbinfo -a was never
intended to be used to check 'real' usernames and passwords (the
password is exposed on the command line for one).  Users with that
requirement are directed to the PAM module, and its much more complete
interface.

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net