mod_auth_kerb and kerberos
Andrew Bartlett
abartlet at samba.org
Thu Sep 8 17:32:22 EDT 2005
On Thu, 2005-09-08 at 09:40 -0700, Henry B. Hotz wrote:
> Well, personally, I don't like having code that keeps your permanent
> password on file, which is what I understand NTLMx requires. OTOH I
> like having better compatibility.
>
> Is this functional if you don't have an LDAP back-end on Heimdal? I.e.
> don't you need some different key information than a standard kdc uses?
mod_ntlm_winbind talks to ntlm_auth (a samba component), which typically
talks to a windows-compatible domain controller of some kind. The
passwords are handled at the DC, not at the webserver. Indeed, the DC
requires keeping the NT password hash, but as it's usually doing so
anyway, that isn't an extra risk.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050909/38e29b34/attachment.bin
More information about the krbdev
mailing list