[Kevin Coffman] Proposal to export gssapi context

Andrew Bartlett abartlet at samba.org
Wed Mar 10 05:20:08 GMT 2004

On Wed, 2004-03-10 at 11:20, Sam Hartman wrote:
> Umich has approached MIT asking  for a private API for their in-kernel GSSAPI implementation to use.

If Samba is to ever use 'real' GSSAPI (not our own private, ugly, mostly
works hack) then we will also need this.  We currently call 

	if (remote)
		err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
		err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);

To get them.  This key is directly used for encrypting certain CIFS
traffic (password sets particularly) and to establish 'SMB signing'.

By my reading, that should be the keys we are seeing in that structure. 
Is that correct?

> Ideally we'd like to get to a point where Heimdal could implement the
> same API.
> As such we're seeking comments from the Heimdal community.
> ______________________________________________________________________
> From: Kevin Coffman <kwc at citi.umich.edu>
> To: krbdev at mit.edu
> Cc: nfsv4-wg at citi.umich.edu
> Subject: Proposal to export gssapi context
> Date: Tue, 09 Mar 2004 18:00:42 -0500
> Brought to krbdev...
> The kernel implementation of rpcsec_gss used for NFSv4 requires context
> information be negotiated in user-land and then passed down for use in the
> kernel.  gss_export_context() exports the context as an opaque object which
> cannot be used for this purpose.  We are proposing three new APIs.  One is
> to restrict the encryption types negotiated in user-land to the set that the
> kernel can use.  The other two are to export context information into a
> usable structure, and then free that structure.
> Comments, suggestions, welcome.
> ______________________________________________________________________
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040310/e918657e/attachment.bin

More information about the samba-technical mailing list