Re: Using GSSAPI with specific providers

[Michael B Allen <mba2000@ioplex.com>]

On Sat, 09 Dec 2006 12:16:35 +1100
Andrew Bartlett <abartlet@samba.org> wrote:

> > For the OP to implement SSPI in WINE GSSAPI alone will not even come
> > close.
> 
> Possibly, as I don't know SSPI very well, but for Samba's purposes, it
> has done much better than the alternative:  write it from scratch, or
> attempt to build it from the kerberos libs.

But you use your own custom modified Heimdal right? Any of those changes
help you juggle creds? I know you're not using KRB5CCNAME :-)

Still, I'm not saying kblin shouldn't use GSSAPI. I'm just pointing out
that it's a subset of SSPI.

> I would also be very interested in an end state where we have
> NTLMSSP provided into GSSAPI, possibly by Samba.  

I was thinking about doing this and the protocol part of it would be
very straight forward and easy to implement. But the compelling reason
for *using* it is for SSO scenarios and doing pass-through auth via
MSRPC is just out of scrope for Heimdal. Right now I'm just going to use
krb5_get_init_creds_with_password for users not logged on. But eventually
I will do it because I can do MSRPC (can pass-through be done without
Schannel?).

Mike

PS: I know you Samba guys are getting a lot of work done lately because
the samba-technical list has been very quiet :->

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/