mod_auth_kerb and kerberos
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Sep 8 18:05:01 EDT 2005
On Sep 8, 2005, at 2:32 PM, Andrew Bartlett wrote:
> On Thu, 2005-09-08 at 09:40 -0700, Henry B. Hotz wrote:
>> Well, personally, I don't like having code that keeps your permanent
>> password on file, which is what I understand NTLMx requires. OTOH I
>> like having better compatibility.
>>
>> Is this functional if you don't have an LDAP back-end on Heimdal?
>> I.e.
>> don't you need some different key information than a standard kdc
>> uses?
>
> mod_ntlm_winbind talks to ntlm_auth (a samba component), which
> typically
> talks to a windows-compatible domain controller of some kind. The
> passwords are handled at the DC, not at the webserver. Indeed, the DC
> requires keeping the NT password hash, but as it's usually doing so
> anyway, that isn't an extra risk.
Excuse the drift off-topic, but my ignorance is showing:
Is the "NT password hash" the same as the rc4-hmac Kerberos Key type?
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list