search for: pac_credential_info

On Tue, 20 Dec 2016 13:50:40 +0000 Brian Candler via samba <samba at lists.samba.org> wrote: > Rowland Perry wrote: > > >/imdap config AD : backend = rid /> >/ > /> How did you 'fix' > > >this, on face value, there is nothing wrong with that line. > > > "imdap" is not "idmap" > > (so now you understand why I

...or TTLS+GTC, both of which send a >> cleartext password) > You might want to read this: > > https://www.samba.org/samba/history/samba-4.5.0.html I'm not sure which section you mean is relevant. Maybe this: "When doing a PKINIT based Kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user." That sounds cool, but I can already use ntlm_auth to validate the MSCHAP passwords. Mo...

...serAccountControl attribute. At the same time the account password is reset to a random NTHASH value. Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user. When doing a PKINIT based kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows on offline logon using a smartcard to work on Windows clients. CTDB changes --...

...serAccountControl attribute. At the same time the account password is reset to a random NTHASH value. Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user. When doing a PKINIT based kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows on offline logon using a smartcard to work on Windows clients. CTDB changes --...

...erAccountControl attribute. At the same time, the account password is reset to a random NTHASH value. Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user. When doing a PKINIT based Kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows an offline logon using a smartcard to work on Windows clients. CTDB changes --...

...erAccountControl attribute. At the same time, the account password is reset to a random NTHASH value. Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user. When doing a PKINIT based Kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows an offline logon using a smartcard to work on Windows clients. CTDB changes --...

...erAccountControl attribute. At the same time, the account password is reset to a random NTHASH value. Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user. When doing a PKINIT based Kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows an offline logon using a smartcard to work on Windows clients. CTDB changes --...

...erAccountControl attribute. At the same time, the account password is reset to a random NTHASH value. Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user. When doing a PKINIT based Kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows an offline logon using a smartcard to work on Windows clients. CTDB changes --...

...erAccountControl attribute. At the same time, the account password is reset to a random NTHASH value. Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user. When doing a PKINIT based Kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows an offline logon using a smartcard to work on Windows clients. CTDB changes --...

...erAccountControl attribute. At the same time, the account password is reset to a random NTHASH value. Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user. When doing a PKINIT based Kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows an offline logon using a smartcard to work on Windows clients. CTDB changes --...

...e same time, the account password is reset to a random > NTHASH value. > > Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED > bit is set in the userAccountControl attribute of a user. > > When doing a PKINIT based Kerberos logon the KDC adds the > required PAC_CREDENTIAL_INFO element to the authorization data. > That means the NTHASH is shared between the PKINIT based client and > the domain controller, which allows the client to do NTLM based > authentication on behalf of the user. It also allows an offline > logon using a smartcard to work on Windows clien...