svn commit: samba r11325 - in branches/SAMBA_4_0/source/auth/kerberos: .

abartlet at samba.org abartlet at samba.org
Thu Oct 27 12:26:28 GMT 2005 

Author: abartlet
Date: 2005-10-27 12:26:28 +0000 (Thu, 27 Oct 2005)
New Revision: 11325

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11325

Log:
Fix up some kerberos notes.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt	2005-10-27 11:16:36 UTC (rev 11324)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt	2005-10-27 12:26:28 UTC (rev 11325)
@@ -236,10 +236,13 @@
  - gsskrb5_acquire_creds() (takes keytab and/or ccache as input
    parameters, see keytab and state machine discussion)
 
+ - gss_krb5_copy_service_keyblock() (get the key used to actually
+   encrypt the ticket to the server, because the same key is used for
+   the PAC validation).
  - gsskrb5_extract_authtime_from_sec_context (get authtime from
    kerberos ticket)
  - gsskrb5_extract_authz_data_from_sec_context (get authdata from
-   ticket, ie the PAC)
+   ticket, ie the PAC.  Must unwrap the data if in an AD-IFRELEVENT)
  - gsskrb5_wrap_size (find out how big the wrapped packet will be,
    given input length).
 
@@ -282,18 +285,10 @@
 
 as well as all case variations on the above.  
 
-Because that all got 'too hard' to put into a keytab (and because we
-still wanted to supply a keytab to the GSSAPI code), a 'wildcard'
-keytab was devised.  MEMORY_WILDCARD: is much like MEMORY:, except it
-only matches on kvno, rather than on the principal name.
+Because that all got 'too hard' to put into a real keytab (and because we
+still wanted to supply a keytab to the GSSAPI code), we use in-memory
+keytabs, and specify the target name.
 
-Another way of handling this amy be to declare "" as a wildcard name,
-or perhaps allow principal names to be fnmatch() or regex expressions.
-
-Hmm, looking over the code again, I'm really not sure we need this...
-We should be able to just specify the same principal as a desired name
-(GSSAPI) and principal (keytab).
-
 Extra Heimdal functions used
 ----------------------------
 (an attempt to list some of the Heimdal-specific functions I know we use)
@@ -357,6 +352,10 @@
 To handle TCP, we will use of our socket layer in much the same way as
 we deal with TCP for CIFS.  Tridge has promised this generalisation.
 
+For the client, we likewise must take over the socket functions, so
+that our single thread smbd will not lock up talking to itself.  (We
+allow processing while waiting for packets in our socket routines).
+
 Kerberos logging support
 ------------------------
 
@@ -414,7 +413,7 @@
 Kpasswd server
 --------------
 
-I have a partial kpasswd server which needs finishing, and a client
-testsuite written, either via the krb5 API or directly against GENSEC
-and the ASN.1 routines.
+I have a partial kpasswd server which needs finishing, and a we need a
+client testsuite written, either via the krb5 API or directly against
+GENSEC and the ASN.1 routines.

More information about the samba-cvs mailing list