svn commit: samba r11325 - in
branches/SAMBA_4_0/source/auth/kerberos: .
abartlet at samba.org
abartlet at samba.org
Thu Oct 27 12:26:28 GMT 2005
Author: abartlet
Date: 2005-10-27 12:26:28 +0000 (Thu, 27 Oct 2005)
New Revision: 11325
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11325
Log:
Fix up some kerberos notes.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt 2005-10-27 11:16:36 UTC (rev 11324)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt 2005-10-27 12:26:28 UTC (rev 11325)
@@ -236,10 +236,13 @@
- gsskrb5_acquire_creds() (takes keytab and/or ccache as input
parameters, see keytab and state machine discussion)
+ - gss_krb5_copy_service_keyblock() (get the key used to actually
+ encrypt the ticket to the server, because the same key is used for
+ the PAC validation).
- gsskrb5_extract_authtime_from_sec_context (get authtime from
kerberos ticket)
- gsskrb5_extract_authz_data_from_sec_context (get authdata from
- ticket, ie the PAC)
+ ticket, ie the PAC. Must unwrap the data if in an AD-IFRELEVENT)
- gsskrb5_wrap_size (find out how big the wrapped packet will be,
given input length).
@@ -282,18 +285,10 @@
as well as all case variations on the above.
-Because that all got 'too hard' to put into a keytab (and because we
-still wanted to supply a keytab to the GSSAPI code), a 'wildcard'
-keytab was devised. MEMORY_WILDCARD: is much like MEMORY:, except it
-only matches on kvno, rather than on the principal name.
+Because that all got 'too hard' to put into a real keytab (and because we
+still wanted to supply a keytab to the GSSAPI code), we use in-memory
+keytabs, and specify the target name.
-Another way of handling this amy be to declare "" as a wildcard name,
-or perhaps allow principal names to be fnmatch() or regex expressions.
-
-Hmm, looking over the code again, I'm really not sure we need this...
-We should be able to just specify the same principal as a desired name
-(GSSAPI) and principal (keytab).
-
Extra Heimdal functions used
----------------------------
(an attempt to list some of the Heimdal-specific functions I know we use)
@@ -357,6 +352,10 @@
To handle TCP, we will use of our socket layer in much the same way as
we deal with TCP for CIFS. Tridge has promised this generalisation.
+For the client, we likewise must take over the socket functions, so
+that our single thread smbd will not lock up talking to itself. (We
+allow processing while waiting for packets in our socket routines).
+
Kerberos logging support
------------------------
@@ -414,7 +413,7 @@
Kpasswd server
--------------
-I have a partial kpasswd server which needs finishing, and a client
-testsuite written, either via the krb5 API or directly against GENSEC
-and the ASN.1 routines.
+I have a partial kpasswd server which needs finishing, and a we need a
+client testsuite written, either via the krb5 API or directly against
+GENSEC and the ASN.1 routines.
More information about the samba-cvs
mailing list