Bug 963341 - [RFE] NTLMSSP support in MIT GSSAPI
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Robbie Harwood
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-05-15 13:18 EDT by Stef Walter
Modified: 2015-10-29 15:14 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-29 15:14:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2013-05-15 13:18:17 EDT
At Samba XP a Simo, Alexander and a few others of us were discussing that we probably want to add support for NTLMSSP to MIT GSSAPI.

Doing this would allow us to use client programs like adcli with NTLMSSP authentication. Hearing the discussions here, there are apparently lots of situations in the wild where the fallback to NTLMSSP is common, and not supporting that would cause problems for some large deployments.

This is mainly for the client side, although might include a reference server implementation for testing against.

I believe this would also be a big step towards getting samba working with MIT krb5.
Comment 1 David Woodhouse 2013-07-09 04:47:21 EDT
Note that a bunch of client authenticate not through GSSAPI+NTLMSSP, but 'raw' NTLM instead. There are separate methods in IMAP, HTTP, etc. 

Such clients are often capable of invoking Samba's /usr/bin/ntlm_auth helper tool to handle the NTLM exchange, so perhaps if we do NTLMSSP support via GSSAPI then we'd also want to provide a reimplementation of same, which is just a wrapper around the GSSAPI implementation.

Simo has started work at https://git.samba.org/?p=idra/gss-ntlmssp.git
Comment 2 David Woodhouse 2014-09-25 06:43:55 EDT
This is working nicely now for us. We've fixed a few issues in the MIT krb5 SPNEGO implementation w.r.t fallback, and we have Simo's gss-ntlmssp talking to winbind to get creds. It works for Firefox, Chrome, Evolution, curl, and various other things. It's all good... except for Samba.

I'd have hoped that using 'smbclient -k' would work now that SPNEGO Just Works for other users. It doesn't (and doesn't even work with krb5 either when it uses the wrong SPN for the server):

In fact, smbclient doesn't even seem to work with using cached credentials directly from winbind, even though that's *supposed* to be supported:
Comment 3 Fedora Admin XMLRPC Client 2014-10-06 12:37:24 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Fedora Admin XMLRPC Client 2015-09-01 17:35:30 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Simo Sorce 2015-10-29 15:14:02 EDT
We have gssntlmssp so this bug should be resolved now

Note You need to log in before you can comment on or make changes to this bug.