svn commit: samba r17610 - in branches/SAMBA_3_0/source: . lib
nsswitch utils
Andrew Bartlett
abartlet at samba.org
Sat Aug 19 21:46:47 GMT 2006
On Sat, 2006-08-19 at 12:14 -0700, Jeremy Allison wrote:
> On Sat, Aug 19, 2006 at 06:01:34PM +1000, Andrew Bartlett wrote:
>
> > I'm thinking we don't want winbindd to do this. ntlm_auth should, but
> > we can leave winbindd stateless in this respect. Winbindd should not be
> > returning a NTLMSSP blob, but instead just the NTLM response, which the
> > client library can then inject into the NTLMSSP stream.
>
> I might move towards that.
>
> > This would also allow smbclient to use this, even against older servers
> > not doing NTLMSSP. Imagine the cups smbprint using this, and finally
> > getting working authenticated smb printing, with NTLM or libsmbclient
> > using it for transparent gnome-vfs.
>
> There's a horrid hack we use in SLES10 to make this work already,
> but in general I like that idea - much nicer than what we do now.
>
> I will modify the NTLM state in Samba3 to store only the NT and
> LM hashes, as there is no crypto in NTLMSSP that needs the plaintext
> for anything other than generating an intermediate NT or LM hash
> I think. I'm still looking into this. If I'm right it'll make
> winbindd less sensitive to storing plaintext passwords.
That's correct, and an entrypoint I support in the Samba4
NTLMSSP/credentials code.
Also, for plaintext: do you store the plaintext or a hash for the
offline credentials? You should store a salted hash.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060820/85f507a4/attachment.bin
More information about the samba-technical
mailing list