Obtaining a TGT without unrestricted access to password.
Luke Howard
lukeh at padl.com
Thu Jun 16 11:19:49 EDT 2011
AFAIK Windows caches the MD4 hash for NTLM, so it can always get rc4-hmac creds -- whether it does this I don't know.
-- Luke
On 16/06/2011, at 3:10 PM, Simo Sorce wrote:
> On Thu, 2011-06-16 at 15:49 +0100, David Woodhouse wrote:
>> AFAICT most Windows sites *don't* set a policy. They just use the
>> standard Windows default of 10-hour/10-day tickets — because it
>> doesn't
>> really make any significant difference to Windows clients, does it?
>
> They don't really need to because they can obtain a new ticket from
> scratch every time you unlock the screensaver (to which you give your
> password), which is what we do with sssd as well as the password goes
> down the pipe through pam.
>
> So the case where a 10h/10d policy is not enough is extremely rare.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Luke Howard / lukeh at padl.com
www.padl.com / www.lukehoward.com
More information about the krbdev
mailing list