wbinfo -a uses plaintext authentication ...
Andrew Bartlett
abartlet at pcug.org.au
Fri Jan 11 15:04:51 GMT 2002
Richard Sharpe wrote:
>
> Hi,
>
> wbinfo -a uses plaintext authentication ... always, and then retries
> with _crap authentication if plaintext fails.
>
> This means that the password is always sent via plain text.
>
> This seems, ummm, bad. Perhaps there should be another flag for plaintext?
Its not bad - its perfectly fine.
Firstly - wbinfo -a is just a testing tool, and the password is already
on the (other user visible) command line by this stage.
Secondly: The plaintext/crap authentication methods both send a
challange-response pair to the DC, the difference is where it is
encrypted.
The crap method (tpot's choice of name :-) is for projects like squid to
use when doing NTLM over HTTP, where they generate their own
challange-response and need to verify it with the DC.
The plaintext method is for things like winbind_pam which can't (and
don't want to) link smbencrypt.o. They send the password in plaintext
across the socket for winbindd to encrypt before sending it off to the
DC in the usual manner.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list