svn commit: samba r6219 - in branches/SAMBA_4_0/source: librpc/rpc ntvfs/posix

Andrew Bartlett abartlet at samba.org
Fri Apr 8 03:26:27 GMT 2005


On Thu, 2005-04-07 at 18:32 -0700, Richard Sharpe wrote:
> On Fri, 8 Apr 2005, Andrew Bartlett wrote:
> 
> > > On Wed, 6 Apr 2005, Andrew Tridgell wrote:
> > >
> > > > Richard,
> > > >
> > > >  > This change allows us to fall back to authenticating without
> > > >  > DCERPC_SCHANNEL_128 if we fail. Thus, it allows us to work with Windows
> > > >  > NT DCs ...
> > > >
> > > > Could you explain in what situation this is needed? What specific
> > > > setup and set of calls is triggering this?
> > >
> > > OK, we have had lots of additional discussion about this, and I have
> > > concluded that the approach I took was wrong, because I made the code make
> > > a policy decision about security when that should be in the hands of
> > > administrators (if we even need to take that approach, that is).
> > >
> > > The code should not be falling back to a less secure method of
> > > authentication unless the administrator has requested that it do so.
> >
> > I think the trick is also controlling this from the right place - we
> > will need that way for the admin to control it, and the infrastructure
> > needs to be developed (I'm thinking using cli_credentials) to do this.
> 
> Hmmm, but it seems to me that when you call something like
> dcerpc_pipe_open_pipe you need to be able to specify the minimum security
> you need, and if the underlying code can't support that, it should return
> an error, perhaps saying what the max security is that it can support.

Exactly - a cli_credentials flag should indicate that.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050408/aec038c0/attachment.bin


More information about the samba-technical mailing list