Issues bringing 'new SPENGO' to MIT Kerberos 1.8 builds

Luke Howard lukeh at
Tue Feb 14 20:03:27 MST 2012

On 15/02/2012, at 8:27 AM, Andrew Bartlett wrote:

> We would have to have a good way to push NTLMSSP and any other mech we
> wished to introduce into GSSAPI's SPNEGO.  Then, once we get those in,
> we would also need a good way to get out the PAC-equivalent and session
> keys etc, and set up the auth context that the authentication would be
> used.

You'd have to rewrite (or wrap) your mechanisms as GSS-API mechanisms and install them as such. Generally it's possible to build a mechanism for both MIT and Heimdal from a single codebase, without too much redundant code.

However, as you point out, it doesn't get you async.

-- Luke

More information about the samba-technical mailing list