[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using Heimdal for SPNEGO and NTLM in Samba4

On Wed, 18 Jun 2008 20:48:57 +1000
Andrew Bartlett <abartlet@samba.org> wrote:

> I've been pondering using Heimdal's SPNEGO code in Samba4, so we can
> avoid maintaining our own version of this protocol.
> However, to do this I need a way to make NTLM usable, when selected by
> Heimdal. 
> It seems I have two options:  
>  - help improve Heimdal's heimntlm
>  - somehow plug Samba4's NTLM layer behind Heimdal's GSS
> Either way, I need an extended gss_wrap that supports AEAD (the
> signature is over a header and body, while the crypto is just over the
> body).  This is needed for DCE/RPC in Samba4. 
> As NTLM isn't really nearly as special these days as it once was, I

It's still required for non-domain authentication in Windows so it's
not like it's obsolete. Windows clients automatically fail-over to NTLM
if anything goes wrong trying to do Kerberos and it's actually quite
difficult to get all clients doing Kerberos smoothly.

And despite the fact that many people think GSSAPI is ultimately for
Kerberos only, NTLMSSP is a completely legitimate GSSAPI mechanism. It's
just been difficult for an implementation to accept NTLMSSP tokens because
traditionally it has meant using DCERPC to do NETLOGON pass-through
authentication which is out-of-bounds for most implementations. Apparently
Heimdal uses some kind of krb5-digest method in this case but I haven't
tried it so I'm not sure if it will work in all scenarios (although I
asked Love about it once and it claimed it did).


Michael B Allen
PHP Active Directory SPNEGO SSO