NTLMSSP/GSSAPI and Heimdal, the new NTLMSSP interface
Andrew Bartlett
abartlet at pcug.org.au
Thu Nov 15 16:14:02 GMT 2001
Luke Howard wrote:
>
> Hi Andrew,
>
> >So, what I want to so is to put the Samba passwords into the Kerberos
> >database, and add a mechanism whereby the kerberos server keeps both
> >passwords, and gains a trivial replacement for srv_netlogon_nt.c.
>
> Interesting idea. You can use the encryption type defined in
> draft-brezak-win2k-krb-rc4-hmac-03.txt to retrieve NT hashes from
> the KDC. You would need to define another string to key function
> for LM hashes.
>
> Here is how I've got around the keeping-passwords-in-sync thing
> for our XAD project:
>
> - implemented a password notification plugin for Heimdal
> which will update the user's LM hash (dBCSPwd) and
> OpenLDAP password (userPassword) when a password is changed
> via the kpasswd protocol
>
> - in the SAM server, update the NT hash using the kadm5
> library, and the other passwords in LDAP directly
>
> We also store the encoded ASN.1 Kerberos keys in LDAP, so there
> is a single repository for passwords even if there is some
> redundancy. Thus the SAM server can decode the ASN.1, check
> the key type, and (if RC4-HMAC) extract the NT hash.
Where can I get details about the XAD stuff? It looks like it maps on
much of my work quite nicly.
I was going to try and do kerberos authenticated LDAP (ie no
userPassword). Is this actually doable? The other thing I need to
look into is adding a Digest-MD5 password to the mix, for HTTP
authentication, but thats another story...
> Anyway, what does this have to do with GSS-API? Not much.
> GSS-API deals with network authentication: initializing your
> credentials cache and changing passwords is outside its
> scope.
Not much, except that it was the only effort I knew of in this area, so
it was a place to start.
> >I'm thinking that it should just be a normal kerberos authenticated &
> >encrypted connection, and it should just take in challange-response pair
> >and spit out the session keys and a basic status code.
>
> Well, you can always retrieve the keys directly from the KDC
> using the kadm5 or HDB API.
One of the things I wanted to avoid was the Samba side of things
directly setting/reading the keys - I wanted to put them on a sperate
(secure) server if possible.
Thanks!
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list