[Kevin Coffman] Proposal to export gssapi context
abartlet at samba.org
Wed Mar 10 05:20:08 GMT 2004
On Wed, 2004-03-10 at 11:20, Sam Hartman wrote:
> Umich has approached MIT asking for a private API for their in-kernel GSSAPI implementation to use.
If Samba is to ever use 'real' GSSAPI (not our own private, ugly, mostly
works hack) then we will also need this. We currently call
err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
To get them. This key is directly used for encrypting certain CIFS
traffic (password sets particularly) and to establish 'SMB signing'.
By my reading, that should be the keys we are seeing in that structure.
Is that correct?
> Ideally we'd like to get to a point where Heimdal could implement the
> same API.
> As such we're seeking comments from the Heimdal community.
> From: Kevin Coffman <kwc at citi.umich.edu>
> To: krbdev at mit.edu
> Cc: nfsv4-wg at citi.umich.edu
> Subject: Proposal to export gssapi context
> Date: Tue, 09 Mar 2004 18:00:42 -0500
> Brought to krbdev...
> The kernel implementation of rpcsec_gss used for NFSv4 requires context
> information be negotiated in user-land and then passed down for use in the
> kernel. gss_export_context() exports the context as an opaque object which
> cannot be used for this purpose. We are proposing three new APIs. One is
> to restrict the encryption types negotiated in user-land to the set that the
> kernel can use. The other two are to export context information into a
> usable structure, and then free that structure.
> Comments, suggestions, welcome.
> krbdev mailing list krbdev at mit.edu
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040310/e918657e/attachment.bin
More information about the samba-technical