[SAMBA4] When to fallback to NTLMSSP?

Andrew Bartlett abartlet at samba.org
Sun Oct 30 21:47:44 GMT 2005

On Sun, 2005-10-30 at 08:30 +0100, Volker Lendecke wrote:
> On Sat, Oct 29, 2005 at 09:38:12AM -0400, Simo Sorce wrote:
> > > I'm interested in ideas, both from the 'secure' and 'sane behaviour'
> > > standpoint.
> > 
> > If it is not to difficult to implement I think that having a fine
> > grained (ldb based ?) control set would be the best choice.
> Just my 2 cents: To me this sounds too complicated. This needs to be *SIMPLE*.
> Anything more complex than setting 'security level = 5' or something similar is
> bound to fail in real world installations.

I've been thinking about this, and I think the right way to handle this
is to only directly fail on a positive 'wrong password' to the KDC.

We can then have broad administrator controls such as you suggest, with
command-line overrides for our client utilities.

(Technically I'll then implement what I proposed earlier with the
credentials system controlling what mechs are available.  That is
proving to be a very useful glue layer, as it is hooked into many of the
right spots...)

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051031/741bdad9/attachment.bin

More information about the samba-technical mailing list