svn commit: samba r6219 - in branches/SAMBA_4_0/source: librpc/rpc ntvfs/posix

Andrew Bartlett abartlet at
Thu Apr 7 21:31:35 GMT 2005

On Thu, 2005-04-07 at 09:23 -0700, Richard Sharpe wrote:
> On Wed, 6 Apr 2005, Andrew Tridgell wrote:
> > Richard,
> >
> >  > This change allows us to fall back to authenticating without
> >  > DCERPC_SCHANNEL_128 if we fail. Thus, it allows us to work with Windows
> >  > NT DCs ...
> >
> > Could you explain in what situation this is needed? What specific
> > setup and set of calls is triggering this?
> OK, we have had lots of additional discussion about this, and I have
> concluded that the approach I took was wrong, because I made the code make
> a policy decision about security when that should be in the hands of
> administrators (if we even need to take that approach, that is).
> The code should not be falling back to a less secure method of
> authentication unless the administrator has requested that it do so.

I think the trick is also controlling this from the right place - we
will need that way for the admin to control it, and the infrastructure
needs to be developed (I'm thinking using cli_credentials) to do this.

> > The reason I ask is that your patch makes the test suite testing of
> > whether 128 bit schannel works completely useless.
> Can you tell me how to run that test?

This is the RPC-SCHANNEL test.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list