Re: removing MK_GSSAPI
- In reply to: Rick Macklem : "Re: removing MK_GSSAPI"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 11 Aug 2025 17:44:38 UTC
In message <CAM5tNy7u_ii9vMnP1zE5bJFf4vYSTvX5MsNKQbLovnauOigFwg@mail.gmail.c om> , Rick Macklem writes: > On Mon, Aug 11, 2025 at 9:33=E2=80=AFAM Lexi Winter <ivy@freebsd.org> wrote= > : > > > > Rick Macklem: > > > Once upon a time, GSSAPI was envisioned to someday have a variety of > > > mechanisms, with Kerberos being one possible one. That has never > > > happened > > > > i believe Heimdal does provide an NTLM mechanism (libgssapi_ntlm) and > > also an SPNEGO mechanism which can presumably use either Kerberos or > > NTLM, but as Heimdal is planned to be removed anyway, i'm not sure this > > is a reason to keep the knob around just in case someone decides to add > > those back later. > Ok, I didn't know about NTLM (I did know that SPNEGO layered on top > of Kerberos). I doubt we care about a Microsoft protocol and, as you say, > it could be changed back someday, if need be. One can use Active Directory as a KDC. Red Hat uses MIT KRB5 for authentication and SID to UID and SID to GID translation from data provided by NTLM. I think could be why the Enterprise Working Group wanted MIT KRB5 in base. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e**(i*pi)+1=0