Phil Mayers <[EMAIL PROTECTED]> wrote: > Isn't libntlm client-side NTLM?
It validates NTLM requests, and uses username/passwd to generate NTLM requests to send to a server. > As far as I know, to execute the required RPCs you need a machine > account Which Samba doesn't do. Remember, Samba still only does NT4-style authentication for NTLM. As I've said, I've watched it with tcpdump. 4 packets isn't a lot. > With latter versions of > windows, 2k3 in particular, the amount of support required for even > basic netlogon RPCs is large, as they've upped the security ante. So you avoid it by doing NT4 authentications. > Perhaps we could invert the problem - a small, easily auditable binary > compiled for win32 that listens on a TCP port, uses some lightweight > method to secure connections (maybe SRP?) and acts as an > ultra-lightweight proxy for the required RPCs? Sites that want to can > just run it as a service on the PDC or any member server. Sites large > enough to forbid this are likely large enough to put the effort into > running Samba. Sure. But why do all that when you can just run a RADIUS server on the box? If FreeRADIUS had a "native" windows authentication module, then most of these issues could be avoided by running a full RADIUS remotely, and a small radius on the Windows box. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
