On Mon, 2005-01-10 at 01:28 +0100, Henrik Nordstrom wrote:
>
> On Mon, 10 Jan 2005, Andrew Bartlett wrote:
>
> > I'm wondering where things are at with SPNEGO support?
>
> The intentions are to have SPNEGO (and significantly cleaned up NTLM)
> support in the 3.0 release.
Great. Any timelines on that?
> The current effort is cleaning up the NTLM support by killing the support
> for challenge reuse and it's related infrastructures. The plan is then to
> extend this to also support the very similar Negotiate HTTP authentication
> scheme carrying SPNEGO blobs.
Great!
> > Anyway, I'm always happy to help, particularly on the Samba side...
>
> Is there a reference implementation (Apache, or perhaps some reference web
> server) using Samba for SPNEGO?
Yes. mod_ntlm_winbind from lorikeet:
http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/
I then used the ntlm_auth from Samba4 (but Samba3 winbindd as normal),
and this apache config:
<Directory "/usr/local/apache/htdocs/auth">
AuthName "NTLM Authentication thingy"
NegotiateAuth on
NTLMAuth on
NTLMAuthHelper "valgrind --tool=memcheck --num-
callers=32 /data/samba/samba4/svn/source/bin/ntlm_auth --option='auth
methods = winbind' --helper-protocol=squid-2.5-ntlmssp"
NegotiateAuthHelper "valgrind --tool=memcheck --num-
callers=32 /data/samba/samba4/svn/source/bin/ntlm_auth --option='auth
methods = winbind' --helper-protocol=gss-spnego"
NTLMBasicAuthoritative on
AuthType Negotiate
AuthType NTLM
require valid-user
</Directory>
(Oh, and the use of valgrind it's mandetory ;-)
It is possible to prove Kerberos support with this setup, to test
Kerberos support takes a bit more pain, and I'm happy to work with you
on the details (say over IRC).
Andrew Bartlett
-- Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net
This archive was generated by hypermail pre-2.1.9 : Tue Feb 01 2005 - 12:00:02 MST