[SAMBA4] When to fallback to NTLMSSP?
Andrew Bartlett
abartlet at samba.org
Sun Oct 30 21:47:44 GMT 2005
On Sun, 2005-10-30 at 08:30 +0100, Volker Lendecke wrote:
> On Sat, Oct 29, 2005 at 09:38:12AM -0400, Simo Sorce wrote:
> > > I'm interested in ideas, both from the 'secure' and 'sane behaviour'
> > > standpoint.
> >
> > If it is not to difficult to implement I think that having a fine
> > grained (ldb based ?) control set would be the best choice.
>
> Just my 2 cents: To me this sounds too complicated. This needs to be *SIMPLE*.
> Anything more complex than setting 'security level = 5' or something similar is
> bound to fail in real world installations.
I've been thinking about this, and I think the right way to handle this
is to only directly fail on a positive 'wrong password' to the KDC.
We can then have broad administrator controls such as you suggest, with
command-line overrides for our client utilities.
(Technically I'll then implement what I proposed earlier with the
credentials system controlling what mechs are available. That is
proving to be a very useful glue layer, as it is hooked into many of the
right spots...)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051031/741bdad9/attachment.bin
More information about the samba-technical
mailing list