Crazy ideas about Kerberos, NTLM and PACs... (was NTLMSSP...)

Luke Howard lukeh at PADL.COM
Mon Nov 19 02:45:03 GMT 2001


>The Win2K encryption types were created so users didn't have to change their
>passwords on upgrade of a domain from NT4 to Win2k - that's all. They don't
>really help you here (except in so far as the KDC will also need to store
>the NT hash). I've hypothesised a complete removal of the auth methods and
>code into an external (core system) library, so SASL, mod_auth_ntlm and
>others could call into a single point - winbind might be a good place...
>Hey, wait, netlogond... (not wishing to start architecture wars again :o)

Well, we need netlogond. It would be good to have an NTLM authentication
library, preferable implemented as a GSS-API mechanism: that way
FreeDCE, Cyrus SASL, etc, get NTLM authentication "for free". This
would need to talk to netlogond, as I understand it.

>Security: I'm guessing (although I'm by no means certain) that MSRPC can be
>GSSAPI-secured and authenticated in Win2K, and therefore we're going to have
>to make such an implementation to be Win2K compatible. Given that, and the
>superior security of GSSAPI, why not just implement the NetLogon channel
>over GSSAPI/MSRPC?

It sure can, and you can find a preliminary implementation in 
freedce/ncklib/auth/gssauth{,cn}.c in the dcerpc.net CVS repository.
This is authentication at the RPC layer; we would need it also at
the SMB layer, which Tridge has done some work on. It doesn't look
like Win2K makes RPCs over SMB in native mode, so the latter may
be needed only for file sharing.

Win2K clients expect to use SPNEGO to negotiate between NTLM and
Kerberos, so this needs to be supported as well.

>2) The PDC *must* be able to be a KDC for Win2K-native clients - and that
>requires a local SAM, or some horrible hackery like a *remote* LDAP Kerberos
>backend. Ugh!

It makes sense (to me) to co-locate the KDC, LDAP server, and RPC
services (SAM, LSA, NETLOGON, DRS, NSPI, XDS, etc) on the same
machine, and to have any "trusted" service access the LDAP server
use LDAP over IPC ("ldapi:///").

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com




More information about the samba-technical mailing list