NTLMv2

[Andrew Bartlett]

On Mon, 2007-11-26 at 15:00 -0800, Todd Stecher wrote:
> On Nov 26, 2007, at 9:09 AM, Gerald (Jerry) Carter wrote:
> 
> > Does NT4 actually work?  Before I can feel comfortable about it,
> > we need to confirm that we work with Windows 2000 and later.
> 
> 
> We've done plenty of testing on W2000 and beyond.  All good there (at  
> least forcing the "client" Samba server to NTLMv2).
> 
> NT4 is really the only unknown, as are Samba DCs  - but I think Zach's  
> about got that tested.

So, the tricky part is not when we are a domain member, and we know the
name of the DC exactly.  NTLMv2 works very well then - and perhaps we
should split this discussion:

 - Domain member operation from winbind
 - General client operation

It may well be that we want, for the security of our users, to up to
NTLMv2 everywhere, just as Vista has.  This has the same implications
about security=share as we found with Vista.

However if that isn't a step we want to take quite yet, we could quite
safely (as we are unlikely to encounter DCs without NTLMv2 support) set
winbindd to only ever do NTLMv2 (or Kerberos), SMB signed
communications.  Such a restriction would drastically limit MITM attacks
on winbindd, and solve the problem being presented here very nicely.  

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20071127/bdaf5b11/attachment.bin