User: Password:
Subscribe / Log in / New account

Please stop spreading false information

Please stop spreading false information

Posted Feb 4, 2010 16:18 UTC (Thu) by jra (subscriber, #55261)
Parent article: Samba with Active Directory: getting closer

"Samba relies on NTLM for authentication."

Completely untrue. Samba clients and servers use kerberos, and have for many, many years. Stop telling untruths about the project.

Jeremy Allison,
Samba Team.

(Log in to post comments)

NTLM etc

Posted Feb 4, 2010 22:52 UTC (Thu) by tridge (subscriber, #26906) [Link]

Hi Jeremy,

Unless you have an AD DC in the picture, released versions of Samba do
primarily use NTLM* variants for authentication (wrapped in various
auth wrappings like SPNEGO and NTLMSSP). Where the poster went off
track a little bit is in thinking that current versions of NTLM still
use DES, which is not true. Samba, like Windows, has deprecated the
DES based challenge-response authentication for quite a while. The
most commonly deployed auth in Samba these days (if you are not
connected to a AD DC) is MD4 based. The same is true for Windows if
you have not configured an AD domain, or if you (for example) connect
to a Windows server by IP address instead of DNS name (as kerberos
then doesn't work). It may not be bleeding edge when it comes to
crypto, but it isn't terrible either.

Apart from that, I think the core of what drag has posted is
correct. Microsoft did make kerberos+LDAP much easier to deploy by
integrating it tightly with their OS, and building lots of other
services on top of it. That has created a very attractive
administration and security package for admins to use. There are a
number of great efforts to create something similar in a Linux only
environment (as detailed in a few posts above), but they have not yet
reached the level of refinement that AD has.

Cheers, Tridge

PS: of course you know all this, I just wanted to clarify the details
for the record on LWN

NTLM etc

Posted Feb 5, 2010 17:21 UTC (Fri) by drag (subscriber, #31333) [Link]

Yeah. Thanks for the clarifications; both of you.

I am certainly no expert on the subject. I just get frustrated trying to do
the same things on Linux that have been relatively very easy to do on
Windows for years now.

Please stop spreading false information

Posted Feb 5, 2010 1:36 UTC (Fri) by kjp (subscriber, #39639) [Link]

I'd rather have NTLM over Kerberos. Anything that needs a 'replay cache' is incredibly, fundamentally broken and susceptible to MITM. Please, let's have a Kerberos 6 that has client challenges.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds