Crazy ideas about Kerberos, NTLM and PACs... (was NTLMSSP...)
Luke Kenneth Casson Leighton
lkcl at samba-tng.org
Thu Nov 22 15:40:05 GMT 2001
you need more than just the chal-resp. talk to
luke howard (lukeh at padl.com).
i'd say more but i have very, very little time.
On Thu, Nov 22, 2001 at 04:59:48PM +0100, Joakim Fallsj? wrote:
> Andrew Bartlett wrote:
> > Luke Howard wrote:
> > >
> > > > ...which is why ms created draft-brezak-krb5-rc4-hmac-01.txt
> > > > which uses nt hashes for authentication and encryption.
> > >
> > > Not _why_, I don't think. This draft defines a mechanism for
> > > migrating NT hashes to Kerberos, but it doesn't encapsulate
> > > the NTLM authentication exchange in Kerberos, which I think is
> > > what Andrew is proposing. I can't see how the latter is possible.
> > My insane idea is as follows:
> > Samba (acting as an NT4 server, to NT4 clients) gets an attempted NTLM
> > login. Samba then contacts (via a new protocol) the extended KDC to
> > obtain a challenge, and hands back the clients response. This is done
> > over a secure channel, based on the Samba server's own keytab. This
> > response includes the unencrypted TGT, session key and the first 8 bytes
> > of the LM hash, which Samba then uses to access other network resources.
> I have been talking in terms of this solution with the developers behind
> heimdal (assar) our idea was to implement an out of band service - like
> the kdc for sending challange response to and from a samba server. For
> now it's on hold but we might continue later on when time is avaiable.
More information about the samba-technical