svn commit: samba r17610 - in branches/SAMBA_3_0/source: . lib nsswitch utils

Andrew Bartlett abartlet at samba.org
Sat Aug 19 08:01:34 GMT 2006 

On Fri, 2006-08-18 at 22:33 -0700, Jeremy Allison wrote:
> On Sat, Aug 19, 2006 at 02:17:38PM +1000, Andrew Bartlett wrote:
> > 
> > However, I'm worried about the 'skip the negotiate packet' part.  Is it
> > really impossible to have ntlm_auth/winbindd handle the whole
> > transaction?  Winbindd would not need to be involved in the whole
> > process, only the key challenge+passsword=response step, but this would
> > allow Wine and other client projects to just use ntlm_auth, without
> > requiring their own NTLMSSP negotiate code.
> > 
> > I would also prefer that we set this not to allow LM authentication, to
> > limit the possible attacks on the password available to clients.
> 
> All that's missing is to allow winbindd to handle the initial
> transaction generation - but that's so simple it's easy
> to create the initial blob (which is what the associated
> firefox code does).

I'm thinking we don't want winbindd to do this.  ntlm_auth should, but
we can leave winbindd stateless in this respect.  Winbindd should not be
returning a NTLMSSP blob, but instead just the NTLM response, which the
client library can then inject into the NTLMSSP stream. 

Samba4's client lib has been modified to make this kind of thing easy to
hook in (rather than only taking a plaintext password), perhaps it might
be worth looking at the credentials library, or at least how I hook it
into NTLMSSP and GENSEC. 

This would also allow smbclient to use this, even against older servers
not doing NTLMSSP.  Imagine the cups smbprint using this, and finally
getting working authenticated smb printing, with NTLM or libsmbclient
using it for transparent gnome-vfs.

> A more pressing concern is that the credentials are currently
> only cached in winbindd for one case (MIT krb5 where a MEMORY
> keytab isn't available). We need to add a "winbind cache credentials"
> parameter to make it do this in all cases (so the code isn't
> so brittle).
> 
> Feel free to modify anything in the new work.

I'm rather stuck in Samba4 (I'm trying to do get Samba4 to back onto
Fedora DS, having just joined RedHat's directory services group), but
this is something I have long cared about, and has attracted my
attention...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060819/425e4b1b/attachment.bin

More information about the samba-technical mailing list