On Mon, 2006-03-06 at 21:22 -0600, Gerald (Jerry) Carter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andrew Bartlett wrote: > > On Thu, 2006-03-02 at 22:50 +0100, Mark Proehl wrote: > > > >> I created a patch that introduces a new parameter "disable lanman hash" > >> (attached). > > > > I think this is the correct approach. I've been considering the same > > for Samba4 (where we also need to consider what kerberos enc types are > > reasonable). > > The only thing about the original patch that made me go > ughh was the new parameter. Can we piggy back this off > an existing setting somehow? Perhaps 'lanman auth = no'?
That would be reasonable, and has pro's and cons: - The admin probably expects that 'lanman auth = no' prevents any work (storage and authentication) with the LM hash - But this prevents the admin from storing the hash for the future, in case he has to back out of the security upgrade (finds win9X machines back on the network). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
