Hello! On Mon, Oct 16, 2006 at 05:05:20PM -0400, Jeffrey Altman wrote: > In answer to your question regarding Samba. There are several sites > that I work with who have used Samba as a gateway for users on MacOS X > and Windows that do not have AFS clients installed. The number one > issue that they complain about is the fact that in order to use the > --fake-kaserver functionality in conjunction with either a Kerberos > KDC authentication or an LDAP authentication, the clients have to be > configured to send username/password in the clear. Sending the user's
Hmmmm. I don't understand what you are saying here. --fake-kaserver was explicitly written to not force plain text passwords sent from the clients. This is certainly traded for having the server keyfile stored on the Samba server. Samba itself does have all capabilities of making authentication as secure as Windows gets. If you mean by "ldap authentication" that Samba should do a simple bind to an LDAP server to figure out if a user has his pw correct, then sure, you need plain text passwords to be sent by the clients. But this an entirely orthogonal issue to the --fake-kaserver thing. And, Samba can nowadays be configured to accept kerberos tickets even without being an ADS member, but Windows clients will not appreciate this. But that's just Windows. > Kerberos password in the clear is not a desirable solution. This may be > improved with Vista clients since Vista will negotiate TLS first and > then perform the SMB authentication on top of that. Even if you are Wait a second -- Vista will do TLS-protected SMB? Where can I read more about this, this sounds VERY interesting. I've never heard of that! Volker
pgpvDj6eUuxKN.pgp
Description: PGP signature
