Bug 963341 - [RFE] NTLMSSP support in MIT GSSAPI
Summary: [RFE] NTLMSSP support in MIT GSSAPI
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Robbie Harwood
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2013-05-15 17:18 UTC by Stef Walter
Modified: 2015-10-29 19:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-10-29 19:14:02 UTC
Type: Bug

Attachments (Terms of Use)

Description Stef Walter 2013-05-15 17:18:17 UTC
At Samba XP a Simo, Alexander and a few others of us were discussing that we probably want to add support for NTLMSSP to MIT GSSAPI.

Doing this would allow us to use client programs like adcli with NTLMSSP authentication. Hearing the discussions here, there are apparently lots of situations in the wild where the fallback to NTLMSSP is common, and not supporting that would cause problems for some large deployments.

This is mainly for the client side, although might include a reference server implementation for testing against.

I believe this would also be a big step towards getting samba working with MIT krb5.

Comment 1 David Woodhouse 2013-07-09 08:47:21 UTC
Note that a bunch of client authenticate not through GSSAPI+NTLMSSP, but 'raw' NTLM instead. There are separate methods in IMAP, HTTP, etc. 

Such clients are often capable of invoking Samba's /usr/bin/ntlm_auth helper tool to handle the NTLM exchange, so perhaps if we do NTLMSSP support via GSSAPI then we'd also want to provide a reimplementation of same, which is just a wrapper around the GSSAPI implementation.

Simo has started work at https://git.samba.org/?p=idra/gss-ntlmssp.git

Comment 2 David Woodhouse 2014-09-25 10:43:55 UTC
This is working nicely now for us. We've fixed a few issues in the MIT krb5 SPNEGO implementation w.r.t fallback, and we have Simo's gss-ntlmssp talking to winbind to get creds. It works for Firefox, Chrome, Evolution, curl, and various other things. It's all good... except for Samba.

I'd have hoped that using 'smbclient -k' would work now that SPNEGO Just Works for other users. It doesn't (and doesn't even work with krb5 either when it uses the wrong SPN for the server):

In fact, smbclient doesn't even seem to work with using cached credentials directly from winbind, even though that's *supposed* to be supported:

Comment 3 Fedora Admin XMLRPC Client 2014-10-06 16:37:24 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 4 Fedora Admin XMLRPC Client 2015-09-01 21:35:30 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 5 Simo Sorce 2015-10-29 19:14:02 UTC
We have gssntlmssp so this bug should be resolved now

Note You need to log in before you can comment on or make changes to this bug.