[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using Heimdal for SPNEGO and NTLM in Samba4

On Wed, 2008-06-18 at 17:22 -0700, Love Hörnquist Åstrand wrote:
> >
> > As NTLM isn't really nearly as special these days as it once was, I
> > wondered about helping improve Heimdal's layer, and wondered if it  
> > might
> > be possible to, like the send_to_kdc functions, have a hook we can
> > register for 'process NTLM login'.  This might perhaps be a Heimdal
> > plugin - then Samba3 could perhaps supply it, and Heimdal would talk  
> > to
> > Samba3's winbind.
> I started to implement NTLM plugin for winbind, but since the protocol  
> is not stable and neither library nor sane protocol have showed up, I  
> put that on ice for the time being.
> See struct ntlm_server_interface in lib/gssapi/ntlm/ntlm.h and lib/ 
> gssapi/ntlm/digest.c how to implement it.

I looked at this.  How should we allow a different set of target
functions to be specified?  In general, it might make sense for the krb5
plugin interface to handle it, but for use inside Samba, it might make
sense to have it appear as server credentials (as it fits exactly this

Any thoughts on how I could construct a set of 'credentials' to pass to
spengo that are both a krb5 keytab and a pointer to the ntlm server

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

This is a digitally signed message part