svn commit: samba r6219 - in branches/SAMBA_4_0/source: librpc/rpc ntvfs/posix

Andrew Bartlett abartlet at samba.org
Tue Apr 5 23:07:50 GMT 2005 

On Tue, 2005-04-05 at 15:45 -0700, Richard Sharpe wrote:
> On Wed, 6 Apr 2005, Andrew Bartlett wrote:
> 
> > On Tue, 2005-04-05 at 19:53 +0000, sharpe at samba.org wrote:
> > > Author: sharpe
> > > Date: 2005-04-05 19:53:07 +0000 (Tue, 05 Apr 2005)
> > > New Revision: 6219
> > >
> > > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6219
> > >
> > > Log:
> > >
> > > This change allows us to fall back to authenticating without
> > > DCERPC_SCHANNEL_128 if we fail. Thus, it allows us to work with Windows
> > > NT DCs ...
> >
> > That patch is fine for now, but I'll rework things to avoid as much of
> > the reconnect as possible.
> 
> I tried doing it in dcerpc_schannel_key by simply trying the
> ServerAuthenticate2 with a different set of negotiate_flags, but that
> failed.
> 
> > More generally to the list - should 'quality of protection' be bundled
> > in with the credentials code?  I'm wondering about abstracting the
> > GENSEC 'want' and 'have' features back into credentials, the logic being
> > 'if you want to use this password, you must meet this criteria'.  Being
> > in the credentials code should also allow it to be used for 'basic'
> > session setups.
> >
> > The defaults would of course come from the config file, where we would
> > want 128 bit signed connections always, but accept 56.
> 
> I want to put the use client schannel = no stuff back as well, so I can
> turn off schannel if needed ...

This will be an interesting challenge.  Do you just want to bring it
back to sign (so you can see what's going on) or are you thinking about
the 'Samba 2.2' or 'NT4 SP0' DC case?

The challenge here will be to correctly fail back to anonymous
connections in all the right places, and not placing too much reliance
on the special (and at times darn useful) properties of schannel.

All of this should be in the credentials code, as we want to avoid
config options deep in librpc or gensec.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050406/b6e1c0a4/attachment.bin

More information about the samba-technical mailing list