Red Hat Bugzilla – Bug 963341
[RFE] NTLMSSP support in MIT GSSAPI
Last modified: 2015-10-29 15:14:02 EDT
At Samba XP a Simo, Alexander and a few others of us were discussing that we probably want to add support for NTLMSSP to MIT GSSAPI.
Doing this would allow us to use client programs like adcli with NTLMSSP authentication. Hearing the discussions here, there are apparently lots of situations in the wild where the fallback to NTLMSSP is common, and not supporting that would cause problems for some large deployments.
This is mainly for the client side, although might include a reference server implementation for testing against.
I believe this would also be a big step towards getting samba working with MIT krb5.
Note that a bunch of client authenticate not through GSSAPI+NTLMSSP, but 'raw' NTLM instead. There are separate methods in IMAP, HTTP, etc.
Such clients are often capable of invoking Samba's /usr/bin/ntlm_auth helper tool to handle the NTLM exchange, so perhaps if we do NTLMSSP support via GSSAPI then we'd also want to provide a reimplementation of same, which is just a wrapper around the GSSAPI implementation.
Simo has started work at https://git.samba.org/?p=idra/gss-ntlmssp.git
This is working nicely now for us. We've fixed a few issues in the MIT krb5 SPNEGO implementation w.r.t fallback, and we have Simo's gss-ntlmssp talking to winbind to get creds. It works for Firefox, Chrome, Evolution, curl, and various other things. It's all good... except for Samba.
I'd have hoped that using 'smbclient -k' would work now that SPNEGO Just Works for other users. It doesn't (and doesn't even work with krb5 either when it uses the wrong SPN for the server):
In fact, smbclient doesn't even seem to work with using cached credentials directly from winbind, even though that's *supposed* to be supported:
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
We have gssntlmssp so this bug should be resolved now