diff options
-rw-r--r-- | BUILD.txt | 18 | ||||
-rw-r--r-- | README.txt | 72 |
2 files changed, 85 insertions, 5 deletions
@@ -1,8 +1,16 @@ -First off, run: -# autoreconf -f -i +BUILDING +======== + +Usual tools of the trade: + +$ autoreconf -f -i +$ ./configure +$ make + +optionally (for easy installation on Fedora): +$ make rpms -Then the usual ./configure and make In order to build gss-ntlmssp the following development packages are needed: @@ -15,7 +23,7 @@ In order to build gss-ntlmssp the following development packages are needed: libtool libxml2 libxslt - libunistring + libunistring-devel m4 pkgconfig - openssl + openssl-devel diff --git a/README.txt b/README.txt new file mode 100644 index 0000000..cb33fd6 --- /dev/null +++ b/README.txt @@ -0,0 +1,72 @@ + +GSS-NTLMSSP +=========== + +This is a mechglue plugin for the GSSAPI library that implements NTLM +authentication. + +So far it has been built and tested only with the libgssapi implementation +that comes with MIT Kerberos 1.11 + + +BUILDING +======== + +See BUILD.txt + + +TESTING +======= + +Testsuite: +---------- + +Run ./ntlmssptest at your leisure, it just insures that the crypto is +working correctly. + +Real testing: +------------- + +There are exactly 2 configuration knobs at this point, and both need to +be set right. + +1. The gss configruation file. + +In orde to load the mechanism into gssapy copy the content of the file +examples/mech.ntlmssp into /etc/gss/mech +If you are installing in a non standard path check that the location +of the shared object matches where you installed it in your system + +2. The credentials file + +Set the environment variable NTLM_USER_FILE to a path to a file with +your NTLM cedentials in it. +The file format is the same as the one used by the gss ntlm mechanism +that can be found in Heimdal. Super simple, one or more lines with: +DOMAIN:USERNAME:PASSWORD as elements separated by ':' + +For example: +ADDOM:Administrator:Passw0rd + +Testing Application: +-------------------- + +So far the only application that seem to properly use GSSAPI and +therfore will work unmodified is Firefox. I tried also Curl, but even +after making some patches to let it use the builtin SPNEGO implementation +of GSSAPI it seem that the code is hardcoded to believe there will always +only ever be one roundtrip. This is not necessarily true with the krb5 +mechanism although it works with that with current implementations. +I will need more patches for curl, meanwhile use firefox. + +The server: I am using a Windows Server with IIS installed and Windows +Authentication enabled. + +In Firefox go in about:config and set the string list named +network.negotiate-auth.trusted-uris to your Windows server domain +name suffix. This is necessary otherwise Firefox will not even attempt to +perform negotiation, regardles of the Mechanism used. + +Example: +network.negotiate-auth.trusted-uris = .addom.example.com + |