Fallback from SPNEGO to NTLMSSP in DCE/RPC client in Samba4

Andrew Bartlett abartlet at samba.org
Tue Mar 28 09:44:40 GMT 2006

On Sat, 2006-03-25 at 23:00 +1100, Andrew Bartlett wrote:
> On Sat, 2006-03-25 at 22:06 +1100, Andrew Bartlett wrote:
> > I've been trying (and largely failing) to add code to Samba4 to test
> > kerberos in Samba4 for a while now.
> > 
> > Finally, with this patch I have something 'real' to show for my
> > efforts...
> > 
> > I decided to attack the problem via the 'test_session_key.sh' script,
> > and over the past couple of months I've added support for turning on/off
> > kerberos, along with various NTLMSSP options.  
> > 
> > This opened up the can of worms further, because our DCE/RPC code
> > defaulted to NTLM authentication.  We now connect with SPNEGO by
> > default, but for NT4 / early Samba 3.0 compatibility we fallback to
> > NTLMSSP.   Again, this opened up a can of worms, as we must reconnect to
> > the server to fallback (so the pipe the application holds open may
> > change).  It also required changes to our dcerpc.idl, as we now deal
> > with the bind_nak more correctly.
> > 
> > On the negative side, currently Samba4 cannot sign or seal a GSSAPI
> > connection as a client to Win2k3 SP1.  SP0 works fine.  I would
> > appreciate any pointers in this area.
> Thanks to some very useful rapid-fire feedback from metze, I've
> committed some parts (the bind_nak handling and target name changes in
> particular), and the rest of the patch is here for some further comment.
> It is in two parts:  the patch, and the changes to the test scripts.

Should I commit this?  In particular, should I commit a patch that will
prevent us (in some situations, that is the use of sign/seal on DCERPC
with kerberos), to communicate with Win2k3 SP1 (compared with SP0)?
(Because we don't know what they changed in GSSAPI)

Or should I apply it, but with the default being NTLM?  (Therefore the
new code won't be tested well).  

I just don't want the patch lost in the mists of time...

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060328/0f766618/attachment.bin

More information about the samba-technical mailing list