[Samba] Can Winbind go directly to LDAP/Kerberos? Or is it PDC
NTLM only?
Andrew Bartlett
abartlet at samba.org
Sat Nov 26 07:54:56 GMT 2005
On Mon, 2005-11-21 at 15:19 -0800, SAMBA wrote:
> Hi.
> I've been digging through published and online documents, but most
> documentation is oriented to old-school PDC. I want to avoid NTLM and
> PDCs of the past for security and performance reasons (NTLM single DES
> vs. Kerberos triple DES for instance)
The issue of what authentication types are supported is not really
related to which user information modal is adopted. That is, I suggest
you chose the use winbind as per the standard documentation, then set
your DC to only accept NTLMv2 and Kerberos (and triple-des kerberos
etc).
The biggest real threat with network security is the LM half of NTLM
authentication, which should be disabled (possibly by group policy) on
the clients. (Modern clients will negotiate NTLM2, which removes the
problematic LM authentication, but this can be modified by an active
attacker.)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051126/75d0469a/attachment.bin
More information about the samba
mailing list