NTLMSSP/GSSAPI and Heimdal, the new NTLMSSP interface
Luke Kenneth Casson Leighton
lkcl at samba-tng.org
Sat Nov 17 02:53:04 GMT 2001
On Fri, Nov 16, 2001 at 10:14:14AM +1100, Andrew Bartlett wrote:
> So, what I want to so is to put the Samba passwords into the Kerberos
> database, and add a mechanism whereby the kerberos server keeps both
> passwords, and gains a trivial replacement for srv_netlogon_nt.c.
there is a lot more than just checking a password.
srv_netlogon_nt.c is about as trivial as it gets.
due to the design of netlogond, which is implemented
in srv_netlogon_nt.c, very little modifications
of netlogond or srv_netlogon_nt.c are required to achieve
the purposes you desire.
they are as follows:
- to add the NET_USERINFO_PAC info level
which we've seen (sort-of) with an nt5 netlogon.idl typelibrary
and also with advanced netmon.
- to extend direct_samr_getuserinfo() which currently gets
sam info directly from the sam database (bypassing the RPC
interface - requires linking against libsamsrv.so).
the extension required is to determine whether the user DB
is a sam database or an LDAP one, and to obtain the user's
info level from there.
- to determine IF it is necessary, and then to, extend the
remote_interactive and remote_network functions to, in the
same way, determine whether the user DB is a sam database or
a Krb-5 one, and to authenticate the user higher-up.
i think it may well be necessary.
andrew (b), i feel that i have to make this comment.
the reason that you feel that it is necessary to write
a "trivial replacement for srv_netlogon_nt.c" is because
i believe you may not be fully aware yet of the issues
involved.
i have seen this before. lack of appreciation and
understanding of the issues involved leads the person
who believes that they are authoritative for a subject
to wish to "simplify" matters.
once "simplified", and now having a better understanding
of the issues involved by having had to "learn through
doing", the shortcomings of the "simplified" approach
become clearer, and additionally you are in a better
position to appreciate the complexities of the existing
approach.
so, good luck, learn by doing, and doing well, and i'll
take my own advice once you're up to speed on netlogond
because i'd like to see and learn about krb5/ldap extended
netlogond just as much as you do.
all best,
luke
More information about the samba-technical
mailing list