svn commit: samba r17610 - in branches/SAMBA_3_0/source: . lib nsswitch utils

Andrew Bartlett abartlet at
Sat Aug 19 21:46:47 GMT 2006

On Sat, 2006-08-19 at 12:14 -0700, Jeremy Allison wrote:
> On Sat, Aug 19, 2006 at 06:01:34PM +1000, Andrew Bartlett wrote:
> > I'm thinking we don't want winbindd to do this.  ntlm_auth should, but
> > we can leave winbindd stateless in this respect.  Winbindd should not be
> > returning a NTLMSSP blob, but instead just the NTLM response, which the
> > client library can then inject into the NTLMSSP stream. 
> I might move towards that.
> > This would also allow smbclient to use this, even against older servers
> > not doing NTLMSSP.  Imagine the cups smbprint using this, and finally
> > getting working authenticated smb printing, with NTLM or libsmbclient
> > using it for transparent gnome-vfs.
> There's a horrid hack we use in SLES10 to make this work already,
> but in general I like that idea - much nicer than what we do now.
> I will modify the NTLM state in Samba3 to store only the NT and
> LM hashes, as there is no crypto in NTLMSSP that needs the plaintext
> for anything other than generating an intermediate NT or LM hash
> I think. I'm still looking into this. If I'm right it'll make
> winbindd less sensitive to storing plaintext passwords.

That's correct, and an entrypoint I support in the Samba4
NTLMSSP/credentials code.

Also, for plaintext:  do you store the plaintext or a hash for the
offline credentials?  You should store a salted hash.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list