Bug 963341

Summary: [RFE] NTLMSSP support in MIT GSSAPI
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, dpal, dwmw2, nalin, nathaniel, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-29 19:14:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stef Walter 2013-05-15 17:18:17 UTC 
At Samba XP a Simo, Alexander and a few others of us were discussing that we probably want to add support for NTLMSSP to MIT GSSAPI.

Doing this would allow us to use client programs like adcli with NTLMSSP authentication. Hearing the discussions here, there are apparently lots of situations in the wild where the fallback to NTLMSSP is common, and not supporting that would cause problems for some large deployments.

This is mainly for the client side, although might include a reference server implementation for testing against.

I believe this would also be a big step towards getting samba working with MIT krb5.
Comment 1 David Woodhouse 2013-07-09 08:47:21 UTC 
Note that a bunch of client authenticate not through GSSAPI+NTLMSSP, but 'raw' NTLM instead. There are separate methods in IMAP, HTTP, etc. 

Such clients are often capable of invoking Samba's /usr/bin/ntlm_auth helper tool to handle the NTLM exchange, so perhaps if we do NTLMSSP support via GSSAPI then we'd also want to provide a reimplementation of same, which is just a wrapper around the GSSAPI implementation.

Simo has started work at https://git.samba.org/?p=idra/gss-ntlmssp.git
Comment 2 David Woodhouse 2014-09-25 10:43:55 UTC 
This is working nicely now for us. We've fixed a few issues in the MIT krb5 SPNEGO implementation w.r.t fallback, and we have Simo's gss-ntlmssp talking to winbind to get creds. It works for Firefox, Chrome, Evolution, curl, and various other things. It's all good... except for Samba.

I'd have hoped that using 'smbclient -k' would work now that SPNEGO Just Works for other users. It doesn't (and doesn't even work with krb5 either when it uses the wrong SPN for the server):
 https://bugzilla.samba.org/show_bug.cgi?id=10288

In fact, smbclient doesn't even seem to work with using cached credentials directly from winbind, even though that's *supposed* to be supported:
 https://bugzilla.samba.org/show_bug.cgi?id=10279
Comment 3 Fedora Admin XMLRPC Client 2014-10-06 16:37:24 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Fedora Admin XMLRPC Client 2015-09-01 21:35:30 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Simo Sorce 2015-10-29 19:14:02 UTC 
We have gssntlmssp so this bug should be resolved now