[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using Heimdal for SPNEGO and NTLM in Samba4

I've been pondering using Heimdal's SPNEGO code in Samba4, so we can
avoid maintaining our own version of this protocol.

However, to do this I need a way to make NTLM usable, when selected by

It seems I have two options:  
 - help improve Heimdal's heimntlm
 - somehow plug Samba4's NTLM layer behind Heimdal's GSS

Either way, I need an extended gss_wrap that supports AEAD (the
signature is over a header and body, while the crypto is just over the
body).  This is needed for DCE/RPC in Samba4. 

As NTLM isn't really nearly as special these days as it once was, I
wondered about helping improve Heimdal's layer, and wondered if it might
be possible to, like the send_to_kdc functions, have a hook we can
register for 'process NTLM login'.  This might perhaps be a Heimdal
plugin - then Samba3 could perhaps supply it, and Heimdal would talk to
Samba3's winbind.  

I would also need to figure out how the password callbacks would work. 

But despite all the hurdles, it seems easier than adding and maintaining
the SPNEGO mechListMic stuff as another Samba4-only thing, while
bringing wider benefits.  


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

This is a digitally signed message part