mod_auth_kerb and kerberos

Henry B. Hotz hotz at
Thu Sep 8 12:40:44 EDT 2005

Well, personally, I don't like having code that keeps your permanent  
password on file, which is what I understand NTLMx requires.  OTOH I  
like having better compatibility.

Is this functional if you don't have an LDAP back-end on Heimdal?  I.e.  
don't you need some different key information than a standard kdc uses?

On Sep 8, 2005, at 1:38 AM, Andrew Bartlett wrote:

> On Wed, 2005-09-07 at 18:04 -0700, Henry B. Hotz wrote:
>> 5.0-rc6 works fine with Heimdal 0.6.x and MIT 1.3.x.  I published a
>> patch for Heimdal 0.7 on one of the Heimdal lists a bit ago.  I've
>> since patched it to work with MIT 1.4.x, but have further  
>> modifications
>> to make.  If you can prove you're a US citizen I can send you the  
>> mods.
>>   ;-P
>> As best I understand the situation, mod_auth_kerb was the testbed for
>> open-source re-implementation of Microsoft's SPNEGO on the server  
>> side.
>>   Since then SPNEGO has been added to the gssapi implementations of  
>> both
>> Heimdal and MIT distributions, so that code can be deleted.
> The other implementation of something similar is mod_ntlm_winbind,  
> which
> backs on Samba4 (or indeed a dodgy implementation in Samba3)'s
> implementation of SPNEGO.
> The difference with the Samba approach is that we allow SPNEGO to
> negotiate NTLMSSP.  This may or may not be something you want, but it's
> what we provide, for greater compatibility.
> I have just put out a call for developers to port the apache 1.3 module
> to 2.0, so we should have that working soon.
> Andrew Bartlett
> --  
> Andrew Bartlett                                 
> Samba Developer, SuSE Labs, Novell Inc.
> Authentication Developer, Samba Team 
> Student Network Administrator, Hawker College
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list