Samba4: A tool to offer the GENSEC mechanism to external programs

Andrew Bartlett abartlet at samba.org
Mon Jul 25 23:23:39 GMT 2005 

On Mon, 2005-07-25 at 22:30 +0200, Kai Blin wrote:
> * "Gerald (Jerry) Carter" <jerry at samba.org> [25/07/05, 11:20:32]:
> > Kai Blin wrote:
> > 
> > | I'm working on implementing single-sign-on for the
> > | wine project. I was planning on using Andrew Barlett's
> > | GENSEC as implemented in samba4, and after talking
> > | to him, he suggested in using a tool like ntlm_auth or
> > | ssh-agent to take care of the actual negotiation with
> > | the server, instead of having to spin out GENSEC as a
> > | lib or having to duplicate code.
> > 
> > As I mentioned on IRC I think it would be better to ship
> > gensec as a shared library in Samba 4.  That prevents code
> > duplication but also would have a richer interface than
> > a CLI utility.  Of course, a *.so file would not preclude
> > a command line tool.
>  
> I agree. I'm not fixed on having a command line tool. It was just what
> Andrew suggested. Andrew, what do you think about a library like
> libsmbclient? That would not break GENSEC off samba, but, as Jerry said,
> give us a nice interface.

So, there were a few reasons for the suggestion to make this a
credentials daemon rather than a library.

Perhaps it first comes from some suspicion of software libraries, and my
ability to create one with a stable interface, but the rest did come
from the discussion at WineConf:

By putting GENSEC in a separate process, we have one place that a login-
time PAM call has to stash the password, and where it can be kept
'secure', matching the login password cache on windows.  Various
applications, including Wine can then call on it's services (request an
authentication exchange), without needing the plaintext password, and
without needing to try and mix the Samba and WINE codebases.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050726/33bd5455/attachment.bin

More information about the samba-technical mailing list