svn commit: samba r6219 - in branches/SAMBA_4_0/source:
abartlet at samba.org
Thu Apr 7 21:31:35 GMT 2005
On Thu, 2005-04-07 at 09:23 -0700, Richard Sharpe wrote:
> On Wed, 6 Apr 2005, Andrew Tridgell wrote:
> > Richard,
> > > This change allows us to fall back to authenticating without
> > > DCERPC_SCHANNEL_128 if we fail. Thus, it allows us to work with Windows
> > > NT DCs ...
> > Could you explain in what situation this is needed? What specific
> > setup and set of calls is triggering this?
> OK, we have had lots of additional discussion about this, and I have
> concluded that the approach I took was wrong, because I made the code make
> a policy decision about security when that should be in the hands of
> administrators (if we even need to take that approach, that is).
> The code should not be falling back to a less secure method of
> authentication unless the administrator has requested that it do so.
I think the trick is also controlling this from the right place - we
will need that way for the admin to control it, and the infrastructure
needs to be developed (I'm thinking using cli_credentials) to do this.
> > The reason I ask is that your patch makes the test suite testing of
> > whether 128 bit schannel works completely useless.
> Can you tell me how to run that test?
This is the RPC-SCHANNEL test.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050408/5c49424b/attachment.bin
More information about the samba-technical