question regarding NTLM authentication
Andrew Bartlett
abartlet at samba.org
Wed May 24 02:58:08 GMT 2006
On Tue, 2006-05-23 at 22:53 -0400, simo wrote:
> On Wed, 2006-05-24 at 08:32 +1000, Andrew Bartlett wrote:
>
> > The first task is for someone to re-implement 'security=server' in
> > Samba4, using the credentials system as the glue.
>
> I would honestly like to NOT see security=server for samba4.
> If you need to auth against a DC you can just use domain security,
> that's right way to do it. I can understand why we made it into samba
> and why we keep it in samba3 but I can't see why we should add something
> like that in samba4.
> In most cases it will not work anyway, today SMB signing is on by
> default on most servers.
>
> Let it just be a sort of hack in an auth module in security=user where
> instead of checking the password locally we "check" it against a remote
> server.
>
> I would also like to start moving away from the "security=" way of doing
> stuff and just use a role= parameter which makes much more sense.
In this we are agreed. I use the name only because it clearly defines
the MITM attack we want, for these CIFS proxy use cases. I don't expect
it will be the actual name of any Samba4 parameter.
(The use case is to re-used the connection established with
'security=server' for the ongoing proxied CIFS connection. )
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060524/b79d7ec1/attachment.bin
More information about the samba-technical
mailing list