[PATCH] using gensec_ntlmssp in s3

Andrew Bartlett abartlet at samba.org
Sat Feb 4 03:03:15 MST 2012

On Tue, 2012-01-31 at 21:43 +1100, Andrew Bartlett wrote:
> I've prepared a series of patches to merge the gensec_ntlmssp
> server-side modules:
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-merge-ntlmssp
> There is still work to do, to remove the remaining calls directly to the
> ntlmssp server code (in ntlm_auth), but at least some of this
> duplication has been reduced, and we are one step closer to a common
> authentication stack.  

I've continued this branch, building on top of of the changes to have a
common NTLMSSP server, and to have a common interface for all NTLM
authentication.  We talked about doing this with gensec, but encountered
the difficultly of handling old-style NTLM logins and security=server
(with the challenge reuse).  So, instead I simply expose exactly the
layer under gensec_ntlmssp, returning only the auth_session_info, and
not the confusing auth_serversupplied_info to the caller. 

Once the security=share proposal (on which this branch is also based) is
resolved one way or the other, I would like to see this branch merged to

This is the last set of changes required to get consistent NTLM
authentication and authorization across all possible CIFS entry-points.
That is, it ensures that a login on raw NTLM and the same login on
NTLMSSP returns identical groups and privileges in both CIFS servers. 


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list