Samba4: A tool to offer the GENSEC mechanism to external programs

Andrew Bartlett abartlet at
Tue Jul 26 07:18:57 GMT 2005

On Tue, 2005-07-26 at 09:52 +1000, Andrew Bartlett wrote:
> On Tue, 2005-07-26 at 01:37 +0200, Jelmer Vernooij wrote:
> > On Tue, Jul 26, 2005 at 09:23:39AM +1000, Andrew Bartlett wrote about 'Re: Samba4: A tool to offer the GENSEC mechanism to external programs':
> > > By putting GENSEC in a separate process, we have one place that a login-
> > > time PAM call has to stash the password, and where it can be kept
> > > 'secure', matching the login password cache on windows.  Various
> > > applications, including Wine can then call on it's services (request an
> > > authentication exchange), without needing the plaintext password, and
> > > without needing to try and mix the Samba and WINE codebases.
> > As well as licensing issues... Of course those can be resolved, but
> > they'd make the whole process more complicated.
> Indeed, that was the other reason.   I hate to make design decisions
> based on licence 'avoidance', but as I see real software engineering
> reasons to take the agent/daemon approach, it also provides what I think
> could be argued as a real, legitimate boundary.  (And one which looks
> very much like the existing winbind pattern)

BTW, I should note (in a followup to the IRC discussion) that ntlm_auth
in Samba4 does already handle most of this, but cannot offer persistence
(ie, no magic logon password) nor sign/seal of data.

ntlm_auth in Samba4 already handles SPNEGO/Negotiate - is it not much
more than a thin wrapper around GENSEC itself.  

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list