wbinfo -a uses plaintext authentication ...

[Andrew Bartlett]

Richard Sharpe wrote:
> 
> Hi,
> 
> wbinfo -a uses plaintext authentication ... always, and then retries
> with _crap authentication if plaintext fails.
> 
> This means that the password is always sent via plain text.
> 
> This seems, ummm, bad. Perhaps there should be another flag for plaintext?

Its not bad - its perfectly fine.

Firstly - wbinfo -a is just a testing tool, and the password is already
on the (other user visible) command line by this stage.

Secondly:  The plaintext/crap authentication methods both send a
challange-response pair to the DC, the difference is where it is
encrypted.  

The crap method (tpot's choice of name :-) is for projects like squid to
use when doing NTLM over HTTP, where they generate their own
challange-response and need to verify it with the DC.  

The plaintext method is for things like winbind_pam which can't (and
don't want to) link smbencrypt.o.  They send the password in plaintext
across the socket for winbindd to encrypt before sending it off to the
DC in the usual manner.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net