svn commit: samba r17610 - in branches/SAMBA_3_0/source: . lib
jra at samba.org
Sat Aug 19 05:33:03 GMT 2006
On Sat, Aug 19, 2006 at 02:17:38PM +1000, Andrew Bartlett wrote:
> However, I'm worried about the 'skip the negotiate packet' part. Is it
> really impossible to have ntlm_auth/winbindd handle the whole
> transaction? Winbindd would not need to be involved in the whole
> process, only the key challenge+passsword=response step, but this would
> allow Wine and other client projects to just use ntlm_auth, without
> requiring their own NTLMSSP negotiate code.
> I would also prefer that we set this not to allow LM authentication, to
> limit the possible attacks on the password available to clients.
All that's missing is to allow winbindd to handle the initial
transaction generation - but that's so simple it's easy
to create the initial blob (which is what the associated
firefox code does).
A more pressing concern is that the credentials are currently
only cached in winbindd for one case (MIT krb5 where a MEMORY
keytab isn't available). We need to add a "winbind cache credentials"
parameter to make it do this in all cases (so the code isn't
Feel free to modify anything in the new work.
More information about the samba-technical