Opportunities for Samba4 based CIFS proxies
Matt Benjamin
matt at linuxbox.com
Thu Nov 3 22:27:12 GMT 2005
I see. So the client wouldn't know anything about that, correct?
Matt
Love wrote:
>Matt Benjamin <matt at linuxbox.com> writes:
>
>
>
>>I have a variant of the NPLogon redirection mechanism, which employs
>>krb5. I do not find it satisfying, however.
>>
>>
>
>One version of this would be to forward the NTLM request on the KDC over a
>secure channel, and have the KDC hand back NTLM reply, NTLM session key,
>and afs kerberos ticket.
>
>With this, only users that talked to the services get the tickets stolen,
>and those are only valid for N hours.
>
>Compare this to having you key to the afs service compromised that you can
>fake tickets for _all_ users _forever_. Given a service key, its _very_
>simple to print yourself ticket.
>
>Even if you just had a service like S4U2Self, that prints you ticket, you
>get a log on what service/users are compromised in case of a problem.
>
>Love
>
>
>
More information about the samba-technical
mailing list