[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using Heimdal for SPNEGO and NTLM in Samba4

To: Michael B Allen <miallen@ioplex.com>
Subject: Re: Using Heimdal for SPNEGO and NTLM in Samba4
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 19 Jun 2008 08:48:44 +1000
Cc: heimdal-discuss@sics.se
In-Reply-To: <20080618122729.e643ee90.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <1213786137.4298.53.camel@naomi> <20080618122729.e643ee90.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, Andrew Bartlett <abartlet@samba.org>

On Wed, 2008-06-18 at 12:27 -0400, Michael B Allen wrote:
> On Wed, 18 Jun 2008 20:48:57 +1000
> Andrew Bartlett <abartlet@samba.org> wrote:
> 
> > I've been pondering using Heimdal's SPNEGO code in Samba4, so we can
> > avoid maintaining our own version of this protocol.
> > 
> > However, to do this I need a way to make NTLM usable, when selected by
> > Heimdal. 
> > 
> > It seems I have two options:  
> >  - help improve Heimdal's heimntlm
> >  - somehow plug Samba4's NTLM layer behind Heimdal's GSS
> > 
> > Either way, I need an extended gss_wrap that supports AEAD (the
> > signature is over a header and body, while the crypto is just over the
> > body).  This is needed for DCE/RPC in Samba4. 
> > 
> > As NTLM isn't really nearly as special these days as it once was, I
> 
> It's still required for non-domain authentication in Windows so it's
> not like it's obsolete. Windows clients automatically fail-over to NTLM
> if anything goes wrong trying to do Kerberos and it's actually quite
> difficult to get all clients doing Kerberos smoothly.

I actually meant special in terms of 'Samba's GPL'ed code was the only
reasonable implementation'.  In the past, knowing that we got this right
was a fairly important bit of leverage in licence games (ie, Samba is
GPL for a reason) that are not as important given full documentation
from Microsoft and reasonable alternatives, such as Heimdal now it
handles UCS2 correctly. 

> And despite the fact that many people think GSSAPI is ultimately for
> Kerberos only, NTLMSSP is a completely legitimate GSSAPI mechanism. It's
> just been difficult for an implementation to accept NTLMSSP tokens because
> traditionally it has meant using DCERPC to do NETLOGON pass-through
> authentication which is out-of-bounds for most implementations. Apparently
> Heimdal uses some kind of krb5-digest method in this case but I haven't
> tried it so I'm not sure if it will work in all scenarios (although I
> asked Love about it once and it claimed it did).

The krb5-digest stuff is neat, and it's that layer that I wish to plug
into Samba (so we will still do the actual NTLM calculations, or forward
them over the NETLOGON pipe when we are in an AD domain). 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

This is a digitally signed message part

References:
- Using Heimdal for SPNEGO and NTLM in Samba4
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Using Heimdal for SPNEGO and NTLM in Samba4
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: Re: Using Heimdal for SPNEGO and NTLM in Samba4
Next by Date: Re: Using Heimdal for SPNEGO and NTLM in Samba4
Prev by thread: Re: Using Heimdal for SPNEGO and NTLM in Samba4
Next by thread: Re: Using Heimdal for SPNEGO and NTLM in Samba4
Index(es):
- Date
- Thread