I've been pondering using Heimdal's SPNEGO code in Samba4, so we can avoid maintaining our own version of this protocol. However, to do this I need a way to make NTLM usable, when selected by Heimdal. It seems I have two options: - help improve Heimdal's heimntlm - somehow plug Samba4's NTLM layer behind Heimdal's GSS Either way, I need an extended gss_wrap that supports AEAD (the signature is over a header and body, while the crypto is just over the body). This is needed for DCE/RPC in Samba4. As NTLM isn't really nearly as special these days as it once was, I wondered about helping improve Heimdal's layer, and wondered if it might be possible to, like the send_to_kdc functions, have a hook we can register for 'process NTLM login'. This might perhaps be a Heimdal plugin - then Samba3 could perhaps supply it, and Heimdal would talk to Samba3's winbind. I would also need to figure out how the password callbacks would work. But despite all the hurdles, it seems easier than adding and maintaining the SPNEGO mechListMic stuff as another Samba4-only thing, while bringing wider benefits. Thoughts? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
This is a digitally signed message part