Finishing up the new nads join code [was Re: svn commit: samba r15543...]

Gerald (Jerry) Carter jerry at
Thu May 18 04:36:49 GMT 2006

Hash: SHA1

Luke Howard wrote:
>> I also experimented with the LDAP signing.  This is simply
>> a kerb5 HMAC-MD5 signature on the GSS-API payload.
> I know you know this, but this is a generalization; the signing
> algorithm is opaque to the GSS-API consumer and indeed, post
> RFC 4121, to the mechanism implementation itself.

Yup.  Didn't realize rfc4121 made it independent of
the mechanism though.  I'll go back and read that.

>> We can do this in Samba 3, but will have to implement
>> support in our own SASL code and need to make use
>> of gss_wrap()/gss_unwrap().  The krb5/gss code already
>> works as far as I can tell.
> Yes, it works, implementing SASL integrity on top of gss_wrap()/
> gss_unwrap() is not difficult but you will need to use
> gss_init_sec_context() to establish the security context.

It just means moving from native krb5 to gss calls more
through the code.  Which is no trivial feat.

cheers, jerry
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list