[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using GSSAPI with specific providers

On Fri, 2006-12-08 at 16:09 -0500, Michael B Allen wrote:
> I'm also sending this to kitten (the GSSAPI working group mailing list).
> On Fri, 8 Dec 2006 09:48:50 -0800
> "Henry B. Hotz" <hotz@jpl.nasa.gov> wrote:
> > If you google "altman sspi gssapi sample" you can find references to  
> > example code for how to use SSPI and GSSAPI in a compatible way.   
> > SPNEGO is a supported mechanism for most current GSSAPI  
> > implementations (including the ones in the MIT and Heimdal  
> > implementations).
> > 
> > I'm not sure how much of a subset the current GSSAPI implementations  
> > are.  The one area I know to worry about is the ability to auto- 
> > negotiate from GSSAPI/SPNEGO/krb5 to GSSAPI/SPNEGO/NTLMv2 if needed.
> GSSAPI only deals with authentication. As you point out NTLMSSP is
> not supported by most (any?) GSSAPI implementations but that's not the
> problem.  GSSAPI could support NTLMSSP using the current model just fine
> (although I don't know about the Schannel provider). The problem has
> more to do with how SSPI integrates with host credential management.
> Because everything goes through gss_cred_id_t you have a bunch of issues
> regarding how to get credentials for use with GSSAPI and with how to
> get credentials from GSSAPI for use with non-GSSAPI software.
> For example, how do you get a gss_cred_id_t from a username and
> password? Not defined. How does a service get the delegated credential
> in a form that can be used with Kerberos aware software like libcurl or
> the pgsql driver? Not defined [1].
> Also SSPI splits out a lot of functionality like encryption and signing
> whereas GSSAPI tries to parameterize that with poorly defined concepts
> like gss_qop_t.
> For the OP to implement SSPI in WINE GSSAPI alone will not even come
> close.

Possibly, as I don't know SSPI very well, but for Samba's purposes, it
has done much better than the alternative:  write it from scratch, or
attempt to build it from the kerberos libs.  That is why I gave kblin
the advise to start with GSSAPI, particularly for the GSSAPI/SPNEGO/KRB5
part.  I would also be very interested in an end state where we have
NTLMSSP provided into GSSAPI, possibly by Samba.  

I had hoped that WINE could use Samba's GENSEC in this, but I screwed up
on licencing (the amount of code that required a re-licence was quite
large, as GENSEC is very dependent on libs from the rest of Samba).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part