[SAMBA4] When to fallback to NTLMSSP?
Simo Sorce
idra at samba.org
Sat Oct 29 13:38:12 GMT 2005
On Sat, 2005-10-29 at 23:28 +1000, Andrew Bartlett wrote:
> NTLM is old, insecure and deprecated. So the marketing blurb goes, and
> the great move forward is to kerberos.
>
> The problem with this is that NTLM is reliable: When all else fails,
> NTLM logins are still likely to be working, and as such fallback from
> kerberos to NTLMSSP is often a good thing. The problem is, when should
> we do that, and what risks do we expose by doing so?
>
> NTLMSSP can be configured in a more secure way, but even this
> compromises connections to Samba < 3.0.20 (mostly for password changes,
> fortunately). It isn't as good as kerberos, and so we try and avoid it.
>
> So, when kerberos fails, should we just jump back to NTLMSSP, or should
> we just fail? Currently we only fall back for a very specific set of
> error conditions (server not known to KDC, kdc unreachable), but this
> list is growing, as we find new and interesting ways for kerberos to
> fail. Perhaps we should always fall back? Perhaps we should only error
> to the user on kinit failure?
>
> I'm interested in ideas, both from the 'secure' and 'sane behaviour'
> standpoint.
If it is not to difficult to implement I think that having a fine
grained (ldb based ?) control set would be the best choice.
I think we should have both general options like "fallback = always|
never" and per subsystem (where applicable) options (like for password
changing, server trusts, machine trusts, AD replication, etc ...
Simo.
--
Simo Sorce - idra at samba.org
Samba Team - http://www.samba.org
Italian Site - http://samba.xsec.it
More information about the samba-technical
mailing list