[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Using GSSAPI with specific providers
On Sat, 09 Dec 2006 12:16:35 +1100
Andrew Bartlett <email@example.com> wrote:
> > For the OP to implement SSPI in WINE GSSAPI alone will not even come
> > close.
> Possibly, as I don't know SSPI very well, but for Samba's purposes, it
> has done much better than the alternative: write it from scratch, or
> attempt to build it from the kerberos libs.
But you use your own custom modified Heimdal right? Any of those changes
help you juggle creds? I know you're not using KRB5CCNAME :-)
Still, I'm not saying kblin shouldn't use GSSAPI. I'm just pointing out
that it's a subset of SSPI.
> I would also be very interested in an end state where we have
> NTLMSSP provided into GSSAPI, possibly by Samba.
I was thinking about doing this and the protocol part of it would be
very straight forward and easy to implement. But the compelling reason
for *using* it is for SSO scenarios and doing pass-through auth via
MSRPC is just out of scrope for Heimdal. Right now I'm just going to use
krb5_get_init_creds_with_password for users not logged on. But eventually
I will do it because I can do MSRPC (can pass-through be done without
PS: I know you Samba guys are getting a lot of work done lately because
the samba-technical list has been very quiet :->
Michael B Allen
PHP Active Directory SSO