kerberos in smbd working
Andrew Tridgell
tridge at samba.org
Sat Oct 20 21:32:02 GMT 2001
> I'd like to get Apple's client "Kerberized" to test with this Samba 3.0.
> Do let me know if you know of any unencumbered code which might be useful.
What do you mean by unencumbered? If you mean non-GPL then you may
have to write it yourself. You can of course read the code I have
recently put in the Samba CVS tree which will probably save you at lot
of time.
Things you'll need to write or obtain from some existing library:
- a ASN.1 encoder/decoder. I did a very simple one in libsmb/asn1.c
but there are several available under various free licenses.
- a GSS-API/kerberos implementation. I used MIT kerberos and did my
own GSS-API code using the above ASN.1 module. Now that I understand
GSS-API a little better I could perhaps use an existing library, it
was just that at the time I couildn't see how to apply the existing
libraries to what was needed in SMB.
- a SPNEGO library that fits in with the GSS-API/kerberos library and
the ASN.1 module. I did my own, although I have since heard that the
heimdal people are working on one as well.
Then you just need to piece it all together. It isn't actually very
much code, just quite fiddly. I highly recommend the dumpasn1 utility
from Peter Gutmann to help you parse each stage of the
negotiation. Without that it would have taken me much longer.
Also, a big thank you to Craig Russ. Craig presented some slides on
kerberos in SMB at the CIFS conference last year. His slides are on
the SNIA website.
Cheers, Tridge
More information about the samba-technical
mailing list