[Samba] RE: WANTED: mod_ntlm_winbind developer
Andrew Bartlett
abartlet at samba.org
Thu Sep 8 21:46:34 GMT 2005
On Thu, 2005-09-08 at 18:27 +0400, Dmitry Andrianov wrote:
> Guys,
> if the only thing needed is to port 1.3 version to 2.0 we also can do
> that.
>
> The only thing I do not understand completely is: "I have not had the
> time or energy to properly maintain (it needs basic
> auth added), ". Why basic? To my knowledge (very limited) NTLM auth
> never sends passords in plain even if user is asked for login/password
> with a popup window. Am I wrong?
So, if you are an administrator who has deployed mod_ntlm_winbind, you
may not wish to lock out clients running older mozilla, or lynx, or ...
So, you will want to accept as a last option, a basic authentication
request, and submit this to your DC for verification. We have all the
hooks for this, I just didn't add them back to mod_ntlm_winbindd when I
ported it to ntlm_auth.
> Actually, this is why we started playing mod_ntlm_winbindd at all -
> we already deployed Kerveros auth and it works fine except for the
> remote user visit - in this case since mod_auth_kerb does not see
> valid ticket, it falls back to basic auth and consequently receives
> password in plaintext. We want to avoid plaintext passwords but we can
> not use https everywhere. That is why we wanted to try NTLM instead of
> Kerberos.
Yep, or worse still when it gets sent a Negotiate header starting with
NTLMSSP....
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050909/985ea635/attachment.bin
More information about the samba
mailing list