Crazy ideas about Kerberos, NTLM and PACs... (was NTLMSSP...)
Joakim Fallsjö (ISK)
fallsjo at isk.kth.se
Thu Nov 22 08:01:02 GMT 2001
Andrew Bartlett wrote:
> Luke Howard wrote:
> > > ...which is why ms created draft-brezak-krb5-rc4-hmac-01.txt
> > > which uses nt hashes for authentication and encryption.
> > Not _why_, I don't think. This draft defines a mechanism for
> > migrating NT hashes to Kerberos, but it doesn't encapsulate
> > the NTLM authentication exchange in Kerberos, which I think is
> > what Andrew is proposing. I can't see how the latter is possible.
> My insane idea is as follows:
> Samba (acting as an NT4 server, to NT4 clients) gets an attempted NTLM
> login. Samba then contacts (via a new protocol) the extended KDC to
> obtain a challenge, and hands back the clients response. This is done
> over a secure channel, based on the Samba server's own keytab. This
> response includes the unencrypted TGT, session key and the first 8 bytes
> of the LM hash, which Samba then uses to access other network resources.
I have been talking in terms of this solution with the developers behind
heimdal (assar) our idea was to implement an out of band service - like
the kdc for sending challange response to and from a samba server. For
now it's on hold but we might continue later on when time is avaiable.
More information about the samba-technical