Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Isn't libntlm client-side NTLM?
It validates NTLM requests, and uses username/passwd to generate NTLM requests to send to a server.
As far as I know, to execute the required RPCs you need a machine account
Which Samba doesn't do. Remember, Samba still only does NT4-style authentication for NTLM. As I've said, I've watched it with tcpdump. 4 packets isn't a lot.
With latter versions of windows, 2k3 in particular, the amount of support required for even basic netlogon RPCs is large, as they've upped the security ante.
So you avoid it by doing NT4 authentications.
Perhaps we could invert the problem - a small, easily auditable binary compiled for win32 that listens on a TCP port, uses some lightweight method to secure connections (maybe SRP?) and acts as an ultra-lightweight proxy for the required RPCs? Sites that want to can just run it as a service on the PDC or any member server. Sites large enough to forbid this are likely large enough to put the effort into running Samba.
Sure. But why do all that when you can just run a RADIUS server on the box? If FreeRADIUS had a "native" windows authentication module, then most of these issues could be avoided by running a full RADIUS remotely, and a small radius on the Windows box. Alan DeKok.