On Thu, Mar 29, 2007 at 11:32:59AM -0700, James Peach wrote: > > You probably also want to allow shares to have different levels of > encryption. For example, > > [share_really_secure] > encryption = mandatory > minimum encryption = the_best_algorithm_we_implement > > [homes] > encryption = mandatory > minimum encryption = the_faster_but_weaker_algorithm
I'm going to leave this up to the /etc/krb5.conf as I'm using gss-api for this. I don't think we need to get that fancy. For connection via IP (ie. non-krb5) we'll default to NTLM encryption. If you don't want that then turn off NTLM via the normal mechanisms. People who are this security aware will be using krb5 anyway and will turn off NTLM auth alltogether. Actually, looking at our code it looks like currently we don't have a way to turn off NTLMv2 and force krb5 only for auth. We probably need to add this. > There's 2 issues - the first is supporting the configuration above, > the second is that the only space we have in the protocol is in trans2 > levels which require a tree connection. Life sucks :-). > If you wanted encryption to be a property of the VC, you could connect > to [Samba$] and negotiate it there which would work around the second > issue. If some shares require encryption and some don't you can just > set up different VCs to handle it. I think it'd be IPC$, rather than Samba$, but the idea is the same. > That said, we can live with having encryption as a property of the > TID :) Cool ! Now all I need do is work with Andrew Bartlett on where the NTLM signature should be for maximum compatibility with SSPI. We're making progress (although you can see the sausage being made and it's not pretty :-) :-). Jeremy.