#3 Integrate with Samba's winbind
Closed 6 years ago Opened 10 years ago by dwmw2.

We want gss-ntlmssp to be a complete drop-in replacement for Samba's horrible /usr/bin/ntlm_auth helper tool.

That basically means it needs to work when winbind is the only thing on the system which knows the password (e.g. because I've primed it with wbinfo -K dwoodhou). That's a use case that works today with winbind, and needs to continue working with gss-ntlmssp.

There's already a winbindd method which will perform NTLM authentication (which ntlm_auth uses), but it doesn't return the information we need to subsequently generate or verify a MIC. We'd need it to return the signing/sealing keys, or the underlying random session key it generated.

We could add a method which makes it do this. I'm assuming that a patch to make it just hand out the password to any client that asks nicely would not stand much chance of being accepted upstream...

There are other ways this can work, perhaps. But it needs to work, without extra PAM modules etc.


I think winbind actually already gives us everything we need.
See https://git.samba.org/?p=samba.git;a=commitdiff;h=fe348fdb2862442

Metadata Update from @dwmw2:
- Issue assigned to simo

7 years ago

Done long ago, not optimal but mostly working.

Metadata Update from @simo:
- Issue close_status updated to: None
- Issue priority set to: None (was: 3)
- Issue status updated to: Closed (was: Open)

6 years ago

Yeah, now we just need to make it work for SSSD users somehow, too...

Login to comment on this ticket.

Metadata