[Samba] Can Winbind go directly to LDAP/Kerberos? Or is it PDC NTLM only?

Andrew Bartlett abartlet at samba.org
Sat Nov 26 07:54:56 GMT 2005


On Mon, 2005-11-21 at 15:19 -0800, SAMBA wrote:
> Hi.

> I've been digging through published and online documents, but most
> documentation is oriented to old-school PDC.  I want to avoid NTLM and
> PDCs of the past for security and performance reasons (NTLM single DES
> vs. Kerberos triple DES for instance)

The issue of what authentication types are supported is not really
related to which user information modal is adopted.  That is, I suggest
you chose the use winbind as per the standard documentation, then set
your DC to only accept NTLMv2 and Kerberos (and triple-des kerberos
etc).

The biggest real threat with network security is the LM half of NTLM
authentication, which should be disabled (possibly by group policy) on
the clients.  (Modern clients will negotiate NTLM2, which removes the
problematic LM authentication, but this can be modified by an active
attacker.)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051126/75d0469a/attachment.bin


More information about the samba mailing list