On Fri, 2018-02-09 at 17:13 +0800, Dmitry Timoshkov wrote:
Hans Leidekker hans@codeweavers.com wrote:
This buffer can currently be retrieved directly from NTLM, without involving LSA. This way we can free the buffer unconditionally in the negotiate tests. Things would change if NTLM was moved behing the LSA interface too, but in that case it's still not wrong to do it here, as long as the LSA wrapper and the provider agree.
Speaking of moving NTLM provider to SSP/AP msv1_0.dll, probably it's worth discussing how to do that. Do you think that using gss-ntlmssp instead of samba's ntlm_auth is an acceptable approach?
I haven't looked at gss-ntlmssp in detail but it would be interesting to use a proper library instead of Samba's ntlm_auth. In any case, considering the potential for regressions it's probably better to do such a change as a separate step.
Sure, if desired it could be even possible to have both: an old implementation in secur32 and a new one in msv1_0, and a temporary switch (at compile or run time) to choose one of them.
Keeping the old implementation lowers the pressure to fix the new implementation. I think we should to build an extensive test suite, make sure it passes and then have a flag day, with ample time before the next stable release.