wbinfo -a uses plaintext authentication ...

Andrew Bartlett abartlet at pcug.org.au
Sat Jan 12 18:45:03 GMT 2002

Tim Potter wrote:
> On Sat, Jan 12, 2002 at 09:52:03AM +1100, Andrew Bartlett wrote:
> > > This seems, ummm, bad. Perhaps there should be another flag for plaintext?
> >
> > Its not bad - its perfectly fine.
> >
> > Firstly - wbinfo -a is just a testing tool, and the password is already
> > on the (other user visible) command line by this stage.
> I might move some of this stuff into 'net winbind'.

I'm not sure about this.  While I'm all for expanding the 'net' command
(because it looks like it might allow all sorts of functionality to be
exposed without needing a new utility per command) I think we need some
ground rules.

In particular I feel that the 'net' command should be reserved for
commands that actually interact with the network, and we should have a
separate tool for things like setting winbind non-anonymous
usernames/password and winbind testing.

The wbinfo case is interesting because provides a very nice way to
example all the winbind calls.  In fact it would almost standalone if
not for the secrets.tdb stuff.  When we have groups like squid also
looking to use winbind having a clear single example (and testing)
executable makes everybody's life easier.

> > Secondly:  The plaintext/crap authentication methods both send a
> > challange-response pair to the DC, the difference is where it is
> > encrypted.
> In other words the password is only sent plain text over the unix
> domain socket that connects the winbind client to the winbind daemon.

Thanks for making that clearer.

Anyway, thats my thoughts,

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list