NTLMSSP/GSSAPI and Heimdal, the new NTLMSSP interface

Andrew Bartlett abartlet at pcug.org.au
Thu Nov 15 15:15:02 GMT 2001

Luke Howard wrote:
> Hi Andrew,
> >A little while back you mentioned that sombody was looking into adding
> >NTLMSSP to the GSSAPI in Heimdal kerberos, but you didn't mention any
> >full names or e-mails.
> Perhaps it was me. My focus is on W2K integration, so NTLMSSP is not
> a big priority for me; however, I think it would be fairly trivial
> to implement a NTLMSSP GSS-API provider in terms of Luke's NTLMSSP
> library, particularly as Microsoft do not frame their NTLMSSP tokens
> in ASN.1.
> However, to make this useful, we really need SPNEGO support in
> Heimdal and a way to deal with multiple mechanisms. Assar Westerlund
> is working on SPNEGO support, but I believe it only works with
> the Kerberos V mechanism. I was thinking it might actually be useful
> to get Sun's GSS-API mechanism switch (which they released as part
> of ONC TI-RPC), add SPNEGO and NTLMSSP to that, and get it working
> with both MIT Kerberos and Heimdal.
> Also, there may be license conflicts if we were to actually use
> SAMBA NTLMSSP code _inside_ Heimdal.

OK, I probably should explain my purpose a bit better:

I'm sick of trying to keep password in sync.  It is a fruitless
exercise, and I (and my staff) have spent to much time fixing up
password that get out of sync.

So, what I want to so is to put the Samba passwords into the Kerberos
database, and add a mechanism whereby the kerberos server keeps both
passwords, and gains a trivial replacement for srv_netlogon_nt.c.  

I'm thinking that it should just be a normal kerberos authenticated &
encrypted connection, and it should just take in challange-response pair
and spit out the session keys and a basic status code.

The real trick however would be taking this one step further (and this
stretches the kerberos trust a fair bit) and also returning a TGT.  Now
that *would* be useful, because it would allow us to integrate NT4 into
kerberos-based filesytems and the like.  I'm not sure about this one,
but the main other thing I would need is the ability for NT4 clients to
change their passwords against their Samba PDC and have Samba somehow
(securely) pass this onto the KDC.  I'll have to look at the protocols

(Oh yes, after I finish this authentication thing, I think password
changing is next up on the chopping block...)

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list