On Fri, 2006-12-08 at 16:09 -0500, Michael B Allen wrote: > I'm also sending this to kitten (the GSSAPI working group mailing list). > > On Fri, 8 Dec 2006 09:48:50 -0800 > "Henry B. Hotz" <hotz@jpl.nasa.gov> wrote: > > > If you google "altman sspi gssapi sample" you can find references to > > example code for how to use SSPI and GSSAPI in a compatible way. > > SPNEGO is a supported mechanism for most current GSSAPI > > implementations (including the ones in the MIT and Heimdal > > implementations). > > > > I'm not sure how much of a subset the current GSSAPI implementations > > are. The one area I know to worry about is the ability to auto- > > negotiate from GSSAPI/SPNEGO/krb5 to GSSAPI/SPNEGO/NTLMv2 if needed. > > GSSAPI only deals with authentication. As you point out NTLMSSP is > not supported by most (any?) GSSAPI implementations but that's not the > problem. GSSAPI could support NTLMSSP using the current model just fine > (although I don't know about the Schannel provider). The problem has > more to do with how SSPI integrates with host credential management. > Because everything goes through gss_cred_id_t you have a bunch of issues > regarding how to get credentials for use with GSSAPI and with how to > get credentials from GSSAPI for use with non-GSSAPI software. > > For example, how do you get a gss_cred_id_t from a username and > password? Not defined. How does a service get the delegated credential > in a form that can be used with Kerberos aware software like libcurl or > the pgsql driver? Not defined [1]. > > Also SSPI splits out a lot of functionality like encryption and signing > whereas GSSAPI tries to parameterize that with poorly defined concepts > like gss_qop_t. > > For the OP to implement SSPI in WINE GSSAPI alone will not even come > close. Possibly, as I don't know SSPI very well, but for Samba's purposes, it has done much better than the alternative: write it from scratch, or attempt to build it from the kerberos libs. That is why I gave kblin the advise to start with GSSAPI, particularly for the GSSAPI/SPNEGO/KRB5 part. I would also be very interested in an end state where we have NTLMSSP provided into GSSAPI, possibly by Samba. I had hoped that WINE could use Samba's GENSEC in this, but I screwed up on licencing (the amount of code that required a re-licence was quite large, as GENSEC is very dependent on libs from the rest of Samba). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
This is a digitally signed message part