[Samba] Advice regarding pre-authentication (was: Re: Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable)
Andrew Bartlett
abartlet at samba.org
Tue Feb 1 00:00:49 UTC 2022
On Wed, 2022-01-26 at 21:00 +0100, Stefan Kania via samba wrote:
> As I told you before, I only use it with openldap together with
> MIT-Kerberos and there you disable preauth on the kerberos server in
> kdc.conf I never did it on a Samba-DC.
Just looping back on this. NEVER disable pre-authentication.
While for a service account with a strong random password it won't make
a difference (the value protected by pre-authentication is just the
same as the one tickets are encrypted to), this is a bad idea
otherwise.
Pre-authentication prevents offline password guessing attacks against a
user's account, and should not be disabled.
I make a point of this as Samba lore is strong, and ideas get copied
around without full context and understanding of the consequences.
Thanks,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list