NTLMSSP/GSSAPI and Heimdal, the new NTLMSSP interface
Luke Kenneth Casson Leighton
lkcl at samba-tng.org
Sun Nov 18 05:10:05 GMT 2001
On Sun, Nov 18, 2001 at 01:37:10AM +1100, Luke Howard wrote:
>
> Luke,
>
> > - to add the NET_USERINFO_PAC info level
> > which we've seen (sort-of) with an nt5 netlogon.idl typelibrary
> > and also with advanced netmon.
>
> Have you got some IDL for this?
no, i haven't, however i expect it to be in the
nt5 typelibrary. the dcerpc.net netlogon.idl was generated
from nt4 typelibrary.
> I'm not sure whether this is
> actually used in W2K logon as the PAC is returned from the KDC
> (in the infamous authorization data field) and it appears that
> only the PAC checksums are passed to NETLOGON for verification.
>
> > so, good luck, learn by doing, and doing well, and i'll
> > take my own advice once you're up to speed on netlogond
> > because i'd like to see and learn about krb5/ldap extended
> > netlogond just as much as you do.
>
> I think Andrew was getting at something else entirely, which
i was answering the bit about writing a "simpler"
srv_netlogon_nt.c, which simply isn't possible
[without losing almost all functionality or
making life actually _more_ complex than is
already implemented!].
> was encapsulating the NTLM logon process in Kerberos. I don't
> think this is possible but in trying one will undoubtedly learn
> much!
:)
yes, that won't be possible [encaps.].
...which is why ms created draft-brezak-krb5-rc4-hmac-01.txt
which uses nt hashes for authentication and encryption.
i explained this a couple of times already on lists.
lkcl
More information about the samba-technical
mailing list