[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using GSSAPI with specific providers

To: Michael B Allen <mba2000@ioplex.com>
Subject: Re: Using GSSAPI with specific providers
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 09 Dec 2006 17:16:46 +1100
Cc: hotz@jpl.nasa.gov, blin@gmx.net, heimdal-discuss@sics.se
In-Reply-To: <20061209010419.683998bb.mba2000@ioplex.com>
References: <200612041152.19416.blin@gmx.net> <20061204105727.1e8db0be.mba2000@ioplex.com> <E056F552-3EA2-4708-90B5-CB39BA1CAB88@jpl.nasa.gov> <20061208160914.3f6fd611.mba2000@ioplex.com> <1165626995.6293.26.camel@amy.flyaway.abartlet.net> <20061209010419.683998bb.mba2000@ioplex.com>
Sender: owner-heimdal-discuss@sics.se

On Sat, 2006-12-09 at 01:04 -0500, Michael B Allen wrote:
> On Sat, 09 Dec 2006 12:16:35 +1100
> Andrew Bartlett <abartlet@samba.org> wrote:
> 
> > > For the OP to implement SSPI in WINE GSSAPI alone will not even come
> > > close.
> > 
> > Possibly, as I don't know SSPI very well, but for Samba's purposes, it
> > has done much better than the alternative:  write it from scratch, or
> > attempt to build it from the kerberos libs.
> 
> But you use your own custom modified Heimdal right? Any of those changes
> help you juggle creds? I know you're not using KRB5CCNAME :-)

We never needed that, and Heimdal has improved to the stage where we
require very few custom modifications.  Even DCE_STYLE GSSAPI, which
kblin requires (his primary target is outlook using DCE/RPC) is now in
the snapshots.

Our modifications are less then 500 lines now, including hooks for PAC
generation (but even this is reducing).

> Still, I'm not saying kblin shouldn't use GSSAPI. I'm just pointing out
> that it's a subset of SSPI.
> 
> > I would also be very interested in an end state where we have
> > NTLMSSP provided into GSSAPI, possibly by Samba.  
> 
> I was thinking about doing this and the protocol part of it would be
> very straight forward and easy to implement. But the compelling reason
> for *using* it is for SSO scenarios and doing pass-through auth via
> MSRPC is just out of scrope for Heimdal. Right now I'm just going to use
> krb5_get_init_creds_with_password for users not logged on. But eventually
> I will do it because I can do MSRPC (can pass-through be done without
> Schannel?).

On the server-side, my thought is that Heimdal would either allow a
local database to be used, or for the app to register a plugin.  One
could very well imagine a plugin that talked to Samba's ntlm_auth.

> Mike
> 
> PS: I know you Samba guys are getting a lot of work done lately because
> the samba-technical list has been very quiet :->

Nah, I've just been on my honeymoon. ;-)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part

References:
- Using GSSAPI with specific providers
  - From: Kai Blin <blin@gmx.net>
- Re: Using GSSAPI with specific providers
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Using GSSAPI with specific providers
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Using GSSAPI with specific providers
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Using GSSAPI with specific providers
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Using GSSAPI with specific providers
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Re: Using GSSAPI with specific providers
Next by Date: Re: pkinit with smartcard
Prev by thread: Re: Using GSSAPI with specific providers
Next by thread: Re: Using GSSAPI with specific providers
Index(es):
- Date
- Thread