Kerberos authentication

Luke Kenneth Casson Leighton lkcl at
Mon Apr 5 17:54:35 GMT 1999

On Sat, 3 Apr 1999, Hernan Ochoa wrote:

> Hi!
> >GINAs are not an appropriate place to provide alternative authentication.
> >microsoft is fully aware of this and deliberately does not provide any
> >information about the more appropriate API interface (the Local Security
> >Authority) except if you pay them extortionate amounts of money and if
> >they like the way that you smell.
> >therefore, the only _public_ way to provide alternative authentication is
> >to have a GINA that calls into MSGINA once you have "done your own thing"
> >sufficient to fool MSGINA into thinking that the [Kerberos, NIS etc] user
> >exists.
> GINA is more adecuate to change the "interface" of the login, i think.


> if you want to change the method of authentication you should use a subauthentication
> package, or an authentication package.

also correct.
> the default authentication package is msv1_0.dll, here is where all the code that compares the hash of your password with the local or remote sam database resides. 

and for nt5, there is an additional one: kerberos.dll.
> you can also write a subauthentication package that can do EXTRA authentication, and if that extra authentication fails, the logon is failed.

this is specific to msv1_0.dll: they have a further extension system.
you are _still_ required to have an account in the SAM database and there
is no API in the msv1_0.dll subauthentication system to create _new_
> to write a new authentication package would be the rigth thing.


> The LSA API is documented in LSAAUTH.HLP,

ur... no it's not.  LSAAUTH.HLP has been completely truncated and
contains, for developer purposes, absolutely no useful information.

>  i've being doing some research on this lately, do you know this
> documentation?

yes i do.

> it doesn't contain everything you need?

of course not.
> Microsoft has done some nasty tricks with this file. if you read the
> help file sequentially, you won't find the CRUCIAL sections where the
> LSA API is documented, they're missing. but if you go to the index, or
> do a search, you will see all that important parts that you were
> looking for.

no, you will find that the _client-side_ API is fully documented.  the
server side is missing.  i have some other documentation (the server side
function prototypes) and this is semi-sufficient: it has no explanation.

if you have the IFS kit it contains ntifs.h which also contains the
necessary function prototypes and the higher-order function prototype

> yes, another one from microsoft,  unbelievable.
> i think there's everything you need, i didn't read the API too much
> because i didn't need it for what i was trying to accomplish, now that
> i remember, maybe it was too much oriented towards the MSV1_0 API,

it is.  well, actually, it's "too much orientated" towards NT "profile"

> anyway, i have "researched" msv1_0.dll so if you need everything maybe
> i can help.

if one person writes a dummy authentication package and releases it under
the GPL we're in business.


More information about the samba-ntdom mailing list