mod_auth_kerb and kerberos
abartlet at samba.org
Thu Sep 8 18:10:22 EDT 2005
On Thu, 2005-09-08 at 15:05 -0700, Henry B. Hotz wrote:
> On Sep 8, 2005, at 2:32 PM, Andrew Bartlett wrote:
> > On Thu, 2005-09-08 at 09:40 -0700, Henry B. Hotz wrote:
> >> Well, personally, I don't like having code that keeps your permanent
> >> password on file, which is what I understand NTLMx requires. OTOH I
> >> like having better compatibility.
> >> Is this functional if you don't have an LDAP back-end on Heimdal?
> >> I.e.
> >> don't you need some different key information than a standard kdc
> >> uses?
> > mod_ntlm_winbind talks to ntlm_auth (a samba component), which
> > typically
> > talks to a windows-compatible domain controller of some kind. The
> > passwords are handled at the DC, not at the webserver. Indeed, the DC
> > requires keeping the NT password hash, but as it's usually doing so
> > anyway, that isn't an extra risk.
> Excuse the drift off-topic, but my ignorance is showing:
> Is the "NT password hash" the same as the rc4-hmac Kerberos Key type?
Yes (a feature I exploit, and Microsoft deliberately created).
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050909/33280b16/attachment.bin
More information about the krbdev