NTLMSSP/GSSAPI and Heimdal, the new NTLMSSP interface

Luke Kenneth Casson Leighton lkcl at samba-tng.org
Sat Nov 17 02:53:04 GMT 2001 

On Fri, Nov 16, 2001 at 10:14:14AM +1100, Andrew Bartlett wrote:

> So, what I want to so is to put the Samba passwords into the Kerberos
> database, and add a mechanism whereby the kerberos server keeps both
> passwords, and gains a trivial replacement for srv_netlogon_nt.c.  
 
 there is a lot more than just checking a password.
 srv_netlogon_nt.c is about as trivial as it gets.

 due to the design of netlogond, which is implemented
 in srv_netlogon_nt.c, very little modifications
 of netlogond or srv_netlogon_nt.c are required to achieve
 the purposes you desire.

 they are as follows:

 - to add the NET_USERINFO_PAC info level
 which we've seen (sort-of) with an nt5 netlogon.idl typelibrary
 and also with advanced netmon.

 - to extend direct_samr_getuserinfo() which currently gets
 sam info directly from the sam database (bypassing the RPC
 interface - requires linking against libsamsrv.so).

 the extension required is to determine whether the user DB
 is a sam database or an LDAP one, and to obtain the user's
 info level from there.

 - to determine IF it is necessary, and then to, extend the
 remote_interactive and remote_network functions to, in the
 same way, determine whether the user DB is a sam database or
 a Krb-5 one, and to authenticate the user higher-up.

 i think it may well be necessary.


 andrew (b), i feel that i have to make this comment.

 the reason that you feel that it is necessary to write
 a "trivial replacement for srv_netlogon_nt.c" is because
 i believe you may not be fully aware yet of the issues
 involved.

 i have seen this before.  lack of appreciation and
 understanding of the issues involved leads the person
 who believes that they are authoritative for a subject
 to wish to "simplify" matters.

 once "simplified", and now having a better understanding
 of the issues involved by having had to "learn through
 doing", the shortcomings of the "simplified" approach
 become clearer, and additionally you are in a better
 position to appreciate the complexities of the existing
 approach.

 so, good luck, learn by doing, and doing well, and i'll
 take my own advice once you're up to speed on netlogond
 because i'd like to see and learn about krb5/ldap extended
 netlogond just as much as you do.

 all best,

 luke

More information about the samba-technical mailing list