svn commit: samba r17610 - in branches/SAMBA_3_0/source: . lib
nsswitch utils
Andrew Bartlett
abartlet at samba.org
Sat Aug 19 04:17:38 GMT 2006
On Sat, 2006-08-19 at 01:04 +0000, jra at samba.org wrote:
> Author: jra
> Date: 2006-08-19 01:04:54 +0000 (Sat, 19 Aug 2006)
> New Revision: 17610
>
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17610
>
> Log:
> Added the ability for firefox to drive the winbindd
> ntlm_auth module to allow it to use winbindd cached
> credentials.The credentials are currently only stored
> in a krb5 MIT environment - we need to add an option to
> winbindd to allow passwords to be stored even in an NTLM-only
> environment.
> Patch from Robert O'Callahan, modified with some fixes
> by me.
I really like the idea, and it is something that will also benefit the
work Kai Blin is doing for wine.
However, I'm worried about the 'skip the negotiate packet' part. Is it
really impossible to have ntlm_auth/winbindd handle the whole
transaction? Winbindd would not need to be involved in the whole
process, only the key challenge+passsword=response step, but this would
allow Wine and other client projects to just use ntlm_auth, without
requiring their own NTLMSSP negotiate code.
I would also prefer that we set this not to allow LM authentication, to
limit the possible attacks on the password available to clients.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060819/d4f87e1d/attachment.bin
More information about the samba-technical
mailing list