svn commit: samba r17610 - in branches/SAMBA_3_0/source: . lib
nsswitch utils
Jeremy Allison
jra at samba.org
Sat Aug 19 05:33:03 GMT 2006
On Sat, Aug 19, 2006 at 02:17:38PM +1000, Andrew Bartlett wrote:
>
> However, I'm worried about the 'skip the negotiate packet' part. Is it
> really impossible to have ntlm_auth/winbindd handle the whole
> transaction? Winbindd would not need to be involved in the whole
> process, only the key challenge+passsword=response step, but this would
> allow Wine and other client projects to just use ntlm_auth, without
> requiring their own NTLMSSP negotiate code.
>
> I would also prefer that we set this not to allow LM authentication, to
> limit the possible attacks on the password available to clients.
All that's missing is to allow winbindd to handle the initial
transaction generation - but that's so simple it's easy
to create the initial blob (which is what the associated
firefox code does).
A more pressing concern is that the credentials are currently
only cached in winbindd for one case (MIT krb5 where a MEMORY
keytab isn't available). We need to add a "winbind cache credentials"
parameter to make it do this in all cases (so the code isn't
so brittle).
Feel free to modify anything in the new work.
Jeremy.
More information about the samba-technical
mailing list