wbinfo -a uses plaintext authentication ...

Richard Sharpe rsharpe at ns.aus.com
Sat Jan 12 22:14:02 GMT 2002


Tim Potter wrote:

>On Sat, Jan 12, 2002 at 09:52:03AM +1100, Andrew Bartlett wrote:
>
>>>This seems, ummm, bad. Perhaps there should be another flag for plaintext?
>>>
>>Its not bad - its perfectly fine.
>>
>>Firstly - wbinfo -a is just a testing tool, and the password is already
>>on the (other user visible) command line by this stage.
>>
One bad practice does not excuse another. In this case I am thinking of 
its use on an appliance, where this is not a real issue. In anycase, 
there are ways to erase this info from the command line when the program 
starts.

>
>I might move some of this stuff into 'net winbind'.
>
>>Secondly:  The plaintext/crap authentication methods both send a
>>challange-response pair to the DC, the difference is where it is
>>encrypted.  
>>
>
>In other words the password is only sent plain text over the unix
>domain socket that connects the winbind client to the winbind daemon.
>

OK, I wasn't thinking. This is fine.





More information about the samba-technical mailing list