Re: Question

From: Jerry Murdock <jmurdock@dont-contact.us>
Date: Wed, 31 Jul 2002 23:30:29 -0400

----- Original Message -----
From: "Andrew Bartlett" <abartlet@samba.org>
To: <Pedro.Bacchella@lomanegra.com.ar>
Cc: "Jerry Murdock" <jmurdock@itraktech.com>; <squid-dev@squid-cache.org>
Sent: Wednesday, July 31, 2002 4:56 AM
Subject: Re: Question

> Also - just ditch pam_smb_auth. That pam module has 'bad idea' written
> all over it, and has serious, known issues. Implmenting an SMB client
> in a PAM module just is not a good idea - and becouse it does not use
> full RPC Netlogon, it is inherintly vunerable to spoffing.
>
> As far as I know, the 'smb_auth' program and pam_smb are both based off
> the same (old) sources, and are both as inseure as each other.
>
> The use of pam_winbind or the winbind basic authenticaion helper is much
> more likaly to gain you a functional system, and more particulary a
> secure system - as the PDC's credentials are checked.
>
> You could also consider the winbind NTLM authenticaion helper.
>
Andrew is right. Winbind is only slightly more difficult to setup than
pam_smb, and I have been very pleased with the results. I am replacing
pam_smb_auth everywhere I use(d) it.

NTLM auth with winbind has been working great for me, but would require you
to run Squid 2.5.

pam_winbind should work well with 2.4's pam support., or you could probably
grab the winbind basic auth helper (wb_auth) from 2.5 and run it with Squid
2.4.

Jerry
Received on Wed Jul 31 2002 - 21:35:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:55 MST