svn commit: samba r17610 - in branches/SAMBA_3_0/source: . lib nsswitch utils

Andrew Bartlett abartlet at
Sat Aug 19 04:17:38 GMT 2006

On Sat, 2006-08-19 at 01:04 +0000, jra at wrote:
> Author: jra
> Date: 2006-08-19 01:04:54 +0000 (Sat, 19 Aug 2006)
> New Revision: 17610
> WebSVN:
> Log:
> Added the ability for firefox to drive the winbindd
> ntlm_auth module to allow it to use winbindd cached
> credentials.The credentials are currently only stored
> in a krb5 MIT environment - we need to add an option to
> winbindd to allow passwords to be stored even in an NTLM-only
> environment.
> Patch from Robert O'Callahan, modified with some fixes
> by me.

I really like the idea, and it is something that will also benefit the
work Kai Blin is doing for wine.

However, I'm worried about the 'skip the negotiate packet' part.  Is it
really impossible to have ntlm_auth/winbindd handle the whole
transaction?  Winbindd would not need to be involved in the whole
process, only the key challenge+passsword=response step, but this would
allow Wine and other client projects to just use ntlm_auth, without
requiring their own NTLMSSP negotiate code.

I would also prefer that we set this not to allow LM authentication, to
limit the possible attacks on the password available to clients.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list