NTLMSSP/GSSAPI and Heimdal, the new NTLMSSP interface

Luke Kenneth Casson Leighton lkcl at samba-tng.org
Sun Nov 18 05:10:05 GMT 2001

On Sun, Nov 18, 2001 at 01:37:10AM +1100, Luke Howard wrote:
> Luke,
> > - to add the NET_USERINFO_PAC info level
> > which we've seen (sort-of) with an nt5 netlogon.idl typelibrary
> > and also with advanced netmon.
> Have you got some IDL for this? 

no, i haven't, however i expect it to be in the
nt5 typelibrary.  the dcerpc.net netlogon.idl was generated
from nt4 typelibrary.

> I'm not sure whether this is
> actually used in W2K logon as the PAC is returned from the KDC
> (in the infamous authorization data field) and it appears that
> only the PAC checksums are passed to NETLOGON for verification.
> > so, good luck, learn by doing, and doing well, and i'll
> > take my own advice once you're up to speed on netlogond
> > because i'd like to see and learn about krb5/ldap extended
> > netlogond just as much as you do.
> I think Andrew was getting at something else entirely, which

 i was answering the bit about writing a "simpler"
 srv_netlogon_nt.c, which simply isn't possible
 [without losing almost all functionality or
 making life actually _more_ complex than is
 already implemented!].

> was encapsulating the NTLM logon process in Kerberos. I don't
> think this is possible but in trying one will undoubtedly learn
> much!

 yes, that won't be possible [encaps.].

 ...which is why ms created draft-brezak-krb5-rc4-hmac-01.txt
 which uses nt hashes for authentication and encryption.

 i explained this a couple of times already on lists.


More information about the samba-technical mailing list