Opportunities for Samba4 based CIFS proxies

Love lha at kth.se
Thu Nov 3 21:45:34 GMT 2005

Matt Benjamin <matt at linuxbox.com> writes:

> I have a variant of the NPLogon redirection mechanism, which employs
> krb5.  I do not find it satisfying, however.

One version of this would be to forward the NTLM request on the KDC over a
secure channel, and have the KDC hand back NTLM reply, NTLM session key,
and afs kerberos ticket.

With this, only users that talked to the services get the tickets stolen,
and those are only valid for N hours. 

Compare this to having you key to the afs service compromised that you can
fake tickets for _all_ users _forever_. Given a service key, its _very_
simple to print yourself ticket.

Even if you just had a service like S4U2Self, that prints you ticket, you
get a log on what service/users are compromised in case of a problem.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051103/6aff62c5/attachment.bin

More information about the samba-technical mailing list