On Wed, 2008-06-18 at 12:27 -0400, Michael B Allen wrote: > On Wed, 18 Jun 2008 20:48:57 +1000 > Andrew Bartlett <firstname.lastname@example.org> wrote: > > > I've been pondering using Heimdal's SPNEGO code in Samba4, so we can > > avoid maintaining our own version of this protocol. > > > > However, to do this I need a way to make NTLM usable, when selected by > > Heimdal. > > > > It seems I have two options: > > - help improve Heimdal's heimntlm > > - somehow plug Samba4's NTLM layer behind Heimdal's GSS > > > > Either way, I need an extended gss_wrap that supports AEAD (the > > signature is over a header and body, while the crypto is just over the > > body). This is needed for DCE/RPC in Samba4. > > > > As NTLM isn't really nearly as special these days as it once was, I > > It's still required for non-domain authentication in Windows so it's > not like it's obsolete. Windows clients automatically fail-over to NTLM > if anything goes wrong trying to do Kerberos and it's actually quite > difficult to get all clients doing Kerberos smoothly. I actually meant special in terms of 'Samba's GPL'ed code was the only reasonable implementation'. In the past, knowing that we got this right was a fairly important bit of leverage in licence games (ie, Samba is GPL for a reason) that are not as important given full documentation from Microsoft and reasonable alternatives, such as Heimdal now it handles UCS2 correctly. > And despite the fact that many people think GSSAPI is ultimately for > Kerberos only, NTLMSSP is a completely legitimate GSSAPI mechanism. It's > just been difficult for an implementation to accept NTLMSSP tokens because > traditionally it has meant using DCERPC to do NETLOGON pass-through > authentication which is out-of-bounds for most implementations. Apparently > Heimdal uses some kind of krb5-digest method in this case but I haven't > tried it so I'm not sure if it will work in all scenarios (although I > asked Love about it once and it claimed it did). The krb5-digest stuff is neat, and it's that layer that I wish to plug into Samba (so we will still do the actual NTLM calculations, or forward them over the NETLOGON pipe when we are in an AD domain). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
This is a digitally signed message part