client impersonation

Andrew Bartlett abartlet at
Thu Jun 1 03:50:43 GMT 2006

On Wed, 2006-05-31 at 20:25 -0700, Murali Bashyam wrote:
> Is this doable for NTLM? For kerberos with delegation, i understand
> this is feasible.

As I have discussed on this list recently, a man-in-the-middle attack is
possible, but the Samba4 code doesn't support this yet.

I think there is a way with AD's kerberos to, for a suitably very
privileged account, get a ticket for another user.  Look into delegation
and related issues on Microsoft's site.

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list