[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using Heimdal for SPNEGO and NTLM in Samba4

On Wed, 2008-06-18 at 12:27 -0400, Michael B Allen wrote:
> On Wed, 18 Jun 2008 20:48:57 +1000
> Andrew Bartlett <abartlet@samba.org> wrote:
> > I've been pondering using Heimdal's SPNEGO code in Samba4, so we can
> > avoid maintaining our own version of this protocol.
> > 
> > However, to do this I need a way to make NTLM usable, when selected by
> > Heimdal. 
> > 
> > It seems I have two options:  
> >  - help improve Heimdal's heimntlm
> >  - somehow plug Samba4's NTLM layer behind Heimdal's GSS
> > 
> > Either way, I need an extended gss_wrap that supports AEAD (the
> > signature is over a header and body, while the crypto is just over the
> > body).  This is needed for DCE/RPC in Samba4. 
> > 
> > As NTLM isn't really nearly as special these days as it once was, I
> It's still required for non-domain authentication in Windows so it's
> not like it's obsolete. Windows clients automatically fail-over to NTLM
> if anything goes wrong trying to do Kerberos and it's actually quite
> difficult to get all clients doing Kerberos smoothly.

I actually meant special in terms of 'Samba's GPL'ed code was the only
reasonable implementation'.  In the past, knowing that we got this right
was a fairly important bit of leverage in licence games (ie, Samba is
GPL for a reason) that are not as important given full documentation
from Microsoft and reasonable alternatives, such as Heimdal now it
handles UCS2 correctly. 

> And despite the fact that many people think GSSAPI is ultimately for
> Kerberos only, NTLMSSP is a completely legitimate GSSAPI mechanism. It's
> just been difficult for an implementation to accept NTLMSSP tokens because
> traditionally it has meant using DCERPC to do NETLOGON pass-through
> authentication which is out-of-bounds for most implementations. Apparently
> Heimdal uses some kind of krb5-digest method in this case but I haven't
> tried it so I'm not sure if it will work in all scenarios (although I
> asked Love about it once and it claimed it did).

The krb5-digest stuff is neat, and it's that layer that I wish to plug
into Samba (so we will still do the actual NTLM calculations, or forward
them over the NETLOGON pipe when we are in an AD domain). 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

This is a digitally signed message part