NTLMSSP/GSSAPI and Heimdal, the new NTLMSSP interface

Luke Howard lukeh at PADL.COM
Sat Nov 17 06:38:03 GMT 2001


> - to add the NET_USERINFO_PAC info level
> which we've seen (sort-of) with an nt5 netlogon.idl typelibrary
> and also with advanced netmon.

Have you got some IDL for this? I'm not sure whether this is
actually used in W2K logon as the PAC is returned from the KDC
(in the infamous authorization data field) and it appears that
only the PAC checksums are passed to NETLOGON for verification.

> so, good luck, learn by doing, and doing well, and i'll
> take my own advice once you're up to speed on netlogond
> because i'd like to see and learn about krb5/ldap extended
> netlogond just as much as you do.

I think Andrew was getting at something else entirely, which
was encapsulating the NTLM logon process in Kerberos. I don't
think this is possible but in trying one will undoubtedly learn


-- Luke

Luke Howard | lukehoward.com
PADL Software | www.padl.com

More information about the samba-technical mailing list