[SAMBA4] When to fallback to NTLMSSP?

Simo Sorce idra at samba.org
Sat Oct 29 13:38:12 GMT 2005

On Sat, 2005-10-29 at 23:28 +1000, Andrew Bartlett wrote:
> NTLM is old, insecure and deprecated.  So the marketing blurb goes, and
> the great move forward is to kerberos.
> The problem with this is that NTLM is reliable:  When all else fails,
> NTLM logins are still likely to be working, and as such fallback from
> kerberos to NTLMSSP is often a good thing.  The problem is, when should
> we do that, and what risks do we expose by doing so?
> NTLMSSP can be configured in a more secure way, but even this
> compromises connections to Samba < 3.0.20 (mostly for password changes,
> fortunately).  It isn't as good as kerberos, and so we try and avoid it.
> So, when kerberos fails, should we just jump back to NTLMSSP, or should
> we just fail?  Currently we only fall back for a very specific set of
> error conditions (server not known to KDC, kdc unreachable), but this
> list is growing, as we find new and interesting ways for kerberos to
> fail.  Perhaps we should always fall back?  Perhaps we should only error
> to the user on kinit failure?
> I'm interested in ideas, both from the 'secure' and 'sane behaviour'
> standpoint.

If it is not to difficult to implement I think that having a fine
grained (ldb based ?) control set would be the best choice.

I think we should have both general options like "fallback = always|
never" and per subsystem (where applicable) options (like for password
changing, server trusts, machine trusts, AD replication, etc ...


Simo Sorce    -  idra at samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it

More information about the samba-technical mailing list