abartlet at samba.org
Wed Feb 16 21:03:07 GMT 2005
On Thu, 2005-02-17 at 02:34 +1100, Andrew Tridgell wrote:
> > Agreed. But doing the ntlm(2?) bind with the machine account is ok? IIRC this
> > can't be done in the windows world, but I think samba could implement this
> > without the need for kerberos I think.
> I'll leave it up to abartlet and you to work out - I'm just flagging
> that allowing anonymous access to this is not good.
I'm certainly not happy with an NTLM bind, mostly because we can't
handle the trusted domain case for:
Samba Server -> Windows Doamin (primary)
-> Samba domain (trusted)
It also just does not match windows behaviour.
For our primary domain, then a schannel bind is appropriate. For
trusted domains, this is harder to get right.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050217/b9150b44/attachment.bin
More information about the samba-technical