NTLM
Alan DeKok
aland at ox.org
Wed Feb 22 22:38:03 CET 2006
Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> Isn't libntlm client-side NTLM?
It validates NTLM requests, and uses username/passwd to generate
NTLM requests to send to a server.
> As far as I know, to execute the required RPCs you need a machine
> account
Which Samba doesn't do. Remember, Samba still only does NT4-style
authentication for NTLM. As I've said, I've watched it with tcpdump.
4 packets isn't a lot.
> With latter versions of
> windows, 2k3 in particular, the amount of support required for even
> basic netlogon RPCs is large, as they've upped the security ante.
So you avoid it by doing NT4 authentications.
> Perhaps we could invert the problem - a small, easily auditable binary
> compiled for win32 that listens on a TCP port, uses some lightweight
> method to secure connections (maybe SRP?) and acts as an
> ultra-lightweight proxy for the required RPCs? Sites that want to can
> just run it as a service on the PDC or any member server. Sites large
> enough to forbid this are likely large enough to put the effort into
> running Samba.
Sure. But why do all that when you can just run a RADIUS server on
the box?
If FreeRADIUS had a "native" windows authentication module, then
most of these issues could be avoided by running a full RADIUS
remotely, and a small radius on the Windows box.
Alan DeKok.
More information about the Freeradius-Users
mailing list