Alan DeKok aland at ox.org
Wed Feb 22 22:38:03 CET 2006

Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> Isn't libntlm client-side NTLM?

  It validates NTLM requests, and uses username/passwd to generate
NTLM requests to send to a server.

> As far as I know, to execute the required RPCs you need a machine 
> account

  Which Samba doesn't do.  Remember, Samba still only does NT4-style
authentication for NTLM.  As I've said, I've watched it with tcpdump.
4 packets isn't a lot.

> With latter versions of 
> windows, 2k3 in particular, the amount of support required for even 
> basic netlogon RPCs is large, as they've upped the security ante.

  So you avoid it by doing NT4 authentications.

> Perhaps we could invert the problem - a small, easily auditable binary 
> compiled for win32 that listens on a TCP port, uses some lightweight 
> method to secure connections (maybe SRP?) and acts as an 
> ultra-lightweight proxy for the required RPCs? Sites that want to can 
> just run it as a service on the PDC or any member server. Sites large 
> enough to forbid this are likely large enough to put the effort into 
> running Samba.

  Sure.  But why do all that when you can just run a RADIUS server on
the box?

  If FreeRADIUS had a "native" windows authentication module, then
most of these issues could be avoided by running a full RADIUS
remotely, and a small radius on the Windows box.

  Alan DeKok.

More information about the Freeradius-Users mailing list