[SAMBA4] When to fallback to NTLMSSP?

Andrew Bartlett abartlet at samba.org
Sat Oct 29 13:28:45 GMT 2005


NTLM is old, insecure and deprecated.  So the marketing blurb goes, and
the great move forward is to kerberos.

The problem with this is that NTLM is reliable:  When all else fails,
NTLM logins are still likely to be working, and as such fallback from
kerberos to NTLMSSP is often a good thing.  The problem is, when should
we do that, and what risks do we expose by doing so?

NTLMSSP can be configured in a more secure way, but even this
compromises connections to Samba < 3.0.20 (mostly for password changes,
fortunately).  It isn't as good as kerberos, and so we try and avoid it.

So, when kerberos fails, should we just jump back to NTLMSSP, or should
we just fail?  Currently we only fall back for a very specific set of
error conditions (server not known to KDC, kdc unreachable), but this
list is growing, as we find new and interesting ways for kerberos to
fail.  Perhaps we should always fall back?  Perhaps we should only error
to the user on kinit failure?

I'm interested in ideas, both from the 'secure' and 'sane behaviour'
standpoint.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051029/1f659605/attachment.bin


More information about the samba-technical mailing list