[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using GSSAPI with specific providers

On Sat, 2006-12-09 at 01:04 -0500, Michael B Allen wrote:
> On Sat, 09 Dec 2006 12:16:35 +1100
> Andrew Bartlett <abartlet@samba.org> wrote:
> > > For the OP to implement SSPI in WINE GSSAPI alone will not even come
> > > close.
> > 
> > Possibly, as I don't know SSPI very well, but for Samba's purposes, it
> > has done much better than the alternative:  write it from scratch, or
> > attempt to build it from the kerberos libs.
> But you use your own custom modified Heimdal right? Any of those changes
> help you juggle creds? I know you're not using KRB5CCNAME :-)

We never needed that, and Heimdal has improved to the stage where we
require very few custom modifications.  Even DCE_STYLE GSSAPI, which
kblin requires (his primary target is outlook using DCE/RPC) is now in
the snapshots.

Our modifications are less then 500 lines now, including hooks for PAC
generation (but even this is reducing).

> Still, I'm not saying kblin shouldn't use GSSAPI. I'm just pointing out
> that it's a subset of SSPI.
> > I would also be very interested in an end state where we have
> > NTLMSSP provided into GSSAPI, possibly by Samba.  
> I was thinking about doing this and the protocol part of it would be
> very straight forward and easy to implement. But the compelling reason
> for *using* it is for SSO scenarios and doing pass-through auth via
> MSRPC is just out of scrope for Heimdal. Right now I'm just going to use
> krb5_get_init_creds_with_password for users not logged on. But eventually
> I will do it because I can do MSRPC (can pass-through be done without
> Schannel?).

On the server-side, my thought is that Heimdal would either allow a
local database to be used, or for the app to register a plugin.  One
could very well imagine a plugin that talked to Samba's ntlm_auth.

> Mike
> PS: I know you Samba guys are getting a lot of work done lately because
> the samba-technical list has been very quiet :->

Nah, I've just been on my honeymoon. ;-)

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part