Finishing up the new nads join code [was Re: svn commit: samba r15543...]

Luke Howard lukeh at
Thu May 18 04:28:11 GMT 2006

>I also experimented with the LDAP signing.  This is simply
>a kerb5 HMAC-MD5 signature on the GSS-API payload.

I know you know this, but this is a generalization; the signing
algorithm is opaque to the GSS-API consumer and indeed, post
RFC 4121, to the mechanism implementation itself.

>We can do this in Samba 3, but will have to implement
>support in our own SASL code and need to make use
>of gss_wrap()/gss_unwrap().  The krb5/gss code already
>works as far as I can tell.

Yes, it works, implementing SASL integrity on top of gss_wrap()/
gss_unwrap() is not difficult but you will need to use
gss_init_sec_context() to establish the security context.

-- Luke


More information about the samba-technical mailing list