On Thu, 2005-09-08 at 18:27 +0400, Dmitry Andrianov wrote: > Guys, > if the only thing needed is to port 1.3 version to 2.0 we also can do > that. > > The only thing I do not understand completely is: "I have not had the > time or energy to properly maintain (it needs basic > auth added), ". Why basic? To my knowledge (very limited) NTLM auth > never sends passords in plain even if user is asked for login/password > with a popup window. Am I wrong?
So, if you are an administrator who has deployed mod_ntlm_winbind, you may not wish to lock out clients running older mozilla, or lynx, or ... So, you will want to accept as a last option, a basic authentication request, and submit this to your DC for verification. We have all the hooks for this, I just didn't add them back to mod_ntlm_winbindd when I ported it to ntlm_auth. > Actually, this is why we started playing mod_ntlm_winbindd at all - > we already deployed Kerveros auth and it works fine except for the > remote user visit - in this case since mod_auth_kerb does not see > valid ticket, it falls back to basic auth and consequently receives > password in plaintext. We want to avoid plaintext passwords but we can > not use https everywhere. That is why we wanted to try NTLM instead of > Kerberos. Yep, or worse still when it gets sent a Negotiate header starting with NTLMSSP.... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
