Does the Samba 4 LDAP server support GSS-SPNEGO over SASL

[Luke Howard]

>Still, most services using (cyrus-)sasl require access to plaintext
>passwords. For digest-md5 it might be sufficient to store H(A1), but
>what about other mechanisms? Since mechanism-specific passwords like
>cmusaslsecret<mech> haven't made it, I see no way not to store plaintext
>on the server side (which I really really hate to do).

Well, what other password-based mechanisms do you care about?

The only two others I can think of that are commonly used with SASL
are NTLM and CRAM-MD5.

For NTLM, the key material is the MD4 digest of the UCS2-LE encoding
of the password. For CRAM-MD5 it is an encoding of the intermediate
MD5 state (but does anyone actually use this?)

I note that in a distributed environment you typically want to do
"pass-through" authentication (as Microsoft are want to call it)
to some kind of central authentication service.

-- Luke

--
www.padl.com | www.lukehoward.com