From 226d72c09317bdff86afc9698d5bfb89948682e0 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mar 31 2017 21:56:40 +0000 Subject: Rename and split the README file Use markdown for neat formatting on pagure. This file is used as the project description so add information on other related documentation and split out the old testing information. Signed-off-by: Simo Sorce --- diff --git a/README.md b/README.md new file mode 100644 index 0000000..e5f8673 --- /dev/null +++ b/README.md @@ -0,0 +1,30 @@ +GSS-NTLMSSP +=========== + +This is a mechglue plugin for the GSSAPI library that implements NTLM +authentication. + +So far it has been built and tested only with the libgssapi implementation +that comes with MIT Kerberos (Versions 1.11 and above) + + + +### Project Information + + +The project is currently hosted on [pagure](https://pagure.io/gssntlmssp) +Project related information (releases, hot to contribute, coding style, etc.. +is available in the [docs page](https://pagure.io/docs/gssntlmssp/) + + + +### Acknowlegments + +##### Protocol Documentation: +This project has been made much simpler thanks to the work done by the Samba +Team first in Samba and Microsoft later by releasing documents such as +[MS-NLMP](https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf). + +##### OID Space: +The Samba Project kindly donated this OID space: 1.3.6.1.4.1.7165.655.1.x + diff --git a/README.txt b/README.txt deleted file mode 100644 index c308696..0000000 --- a/README.txt +++ /dev/null @@ -1,76 +0,0 @@ - -GSS-NTLMSSP -=========== - -This is a mechglue plugin for the GSSAPI library that implements NTLM -authentication. - -So far it has been built and tested only with the libgssapi implementation -that comes with MIT Kerberos 1.11 - -OID Space -========= - -The Samba Project kindly donated this OID space: 1.3.6.1.4.1.7165.655.1.x - -BUILDING -======== - -See BUILD.txt - - -TESTING -======= - -Testsuite: ----------- - -Run ./ntlmssptest at your leisure, it just insures that the crypto is -working correctly. - -Real testing: -------------- - -There are exactly 2 configuration knobs at this point, and both need to -be set right. - -1. The gss configruation file. - -In order to load the mechanism into GSSAPI copy the content of the file -examples/mech.ntlmssp into /etc/gss/mech -If you are installing in a non standard path check that the location -of the shared object matches where you installed it in your system - -2. The credentials file - -Set the environment variable NTLM_USER_FILE to a path to a file with -your NTLM cedentials in it. -The file format is the same as the one used by the gss ntlm mechanism -that can be found in Heimdal. Super simple, one or more lines with: -DOMAIN:USERNAME:PASSWORD as elements separated by ':' - -For example: -ADDOM:Administrator:Passw0rd - -Testing Application: --------------------- - -So far the only application that seem to properly use GSSAPI and -therfore will work unmodified is Firefox. I tried also Curl, but even -after making some patches to let it use the builtin SPNEGO implementation -of GSSAPI it seem that the code is hardcoded to believe there will always -only ever be one roundtrip. This is not necessarily true with the krb5 -mechanism although it works with that with current implementations. -I will need more patches for curl, meanwhile use firefox. - -The server: I am using a Windows Server with IIS installed and Windows -Authentication enabled. - -In Firefox go in about:config and set the string list named -network.negotiate-auth.trusted-uris to your Windows server domain -name suffix. This is necessary otherwise Firefox will not even attempt to -perform negotiation, regardles of the Mechanism used. - -Example: -network.negotiate-auth.trusted-uris = .addom.example.com - diff --git a/TESTING.txt b/TESTING.txt new file mode 100644 index 0000000..1fbfee8 --- /dev/null +++ b/TESTING.txt @@ -0,0 +1,55 @@ +TESTING +======= + +Testsuite: +---------- + +Run ./ntlmssptest at your leisure, it just insures that the crypto is +working correctly. + +Real testing: +------------- + +There are exactly 2 configuration knobs at this point, and both need to +be set right. + +1. The gss configruation file. + +In order to load the mechanism into GSSAPI copy the content of the file +examples/mech.ntlmssp into /etc/gss/mech +If you are installing in a non standard path check that the location +of the shared object matches where you installed it in your system + +2. The credentials file + +Set the environment variable NTLM_USER_FILE to a path to a file with +your NTLM cedentials in it. +The file format is the same as the one used by the gss ntlm mechanism +that can be found in Heimdal. Super simple, one or more lines with: +DOMAIN:USERNAME:PASSWORD as elements separated by ':' + +For example: +ADDOM:Administrator:Passw0rd + +Testing Application: +-------------------- + +So far the only application that seem to properly use GSSAPI and +therfore will work unmodified is Firefox. I tried also Curl, but even +after making some patches to let it use the builtin SPNEGO implementation +of GSSAPI it seem that the code is hardcoded to believe there will always +only ever be one roundtrip. This is not necessarily true with the krb5 +mechanism although it works with that with current implementations. +I will need more patches for curl, meanwhile use firefox. + +The server: I am using a Windows Server with IIS installed and Windows +Authentication enabled. + +In Firefox go in about:config and set the string list named +network.negotiate-auth.trusted-uris to your Windows server domain +name suffix. This is necessary otherwise Firefox will not even attempt to +perform negotiation, regardles of the Mechanism used. + +Example: +network.negotiate-auth.trusted-uris = .addom.example.com +