mod_auth_kerb and kerberos

Henry B. Hotz hotz at
Thu Sep 8 18:05:01 EDT 2005

On Sep 8, 2005, at 2:32 PM, Andrew Bartlett wrote:

> On Thu, 2005-09-08 at 09:40 -0700, Henry B. Hotz wrote:
>> Well, personally, I don't like having code that keeps your permanent
>> password on file, which is what I understand NTLMx requires.  OTOH I
>> like having better compatibility.
>> Is this functional if you don't have an LDAP back-end on Heimdal?   
>> I.e.
>> don't you need some different key information than a standard kdc  
>> uses?
> mod_ntlm_winbind talks to ntlm_auth (a samba component), which  
> typically
> talks to a windows-compatible domain controller of some kind.  The
> passwords are handled at the DC, not at the webserver.  Indeed, the DC
> requires keeping the NT password hash, but as it's usually doing so
> anyway, that isn't an extra risk.

Excuse the drift off-topic, but my ignorance is showing:

Is the "NT password hash" the same as the rc4-hmac Kerberos Key type?
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list