Samba4: Some GENSEC questions

Kai Blin k.blin at
Sat Apr 8 11:20:08 GMT 2006

Hi folks,

While trying to create a program making use of the GENSEC library from
outside samba, I've encountered a couple of problems of a technical
nature, but Jelmer Vernooij helped me to sort them all out. Many thanks
for that, Jelmer.

Now I have basic authentication over NTLMSSP working and moved on to
sealing/unsealing packets. I then realized I don't fully understand the
API for that and would appreciate some input.

NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
                            TALLOC_CTX *mem_ctx,
                            uint8_t *data,
			    size_t length,
                            const  uint8_t  *whole_pdu,
			    size_t pdu_length,
			    DATA_BLOB *sig)

Now the struct gensec_security is pretty clear, as is the talloc
context. *data seems to be a pointer to the data to encrypt and also the
place where the encrypted data will be placed. length is the length of
that data.
I'm unclear what should go into *whole_pdu. For my test I just put the
same stuff there as *data.

The call to gensec_seal_packet() in my test fails with
NT_STATUS_INVALID_PARAMETER, from which I gather that the
gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) test on
gensec.c line 782. I requested the feature when setting up the gensec,
but maybe it's at the wrong place.

If you want to have a look at the source code I'm using, I've uploaded a
copy at

Without the check if the gensec_have_feature worked, the program runs
nicely up to the point where it fails for gensec_seal_packet.

I'd appreciate any suggestions on this.


Kai Blin, private email
I can give you my word, but I know what it's worth and you don't.
		-- Nero Wolfe, "Over My Dead Body"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :

More information about the samba-technical mailing list