samba 4 TP3 and Windows SSPI

Andrew Bartlett abartlet at samba.org
Fri Nov 17 11:29:05 GMT 2006


On Sat, 2006-11-11 at 11:00 +0100, Stefan (metze) Metzmacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Bartlett schrieb:
> > On Fri, 2006-11-10 at 10:37 +1100, Andrew Bartlett wrote:
> >> On Thu, 2006-11-09 at 17:33 +0300, Joshua Masiko wrote:
> >>> DsWriteAccountSpn allows you to de-couple the way the client connects from
> >>> the account the server is running under
> >>>
> >>> it basically maps a service principal name to the server account such that
> >>> in InitializeSecurityContext the client can specify the SPN as the target
> >>> without knowing the account under which the server is running. Details are
> >>> on MSDN online.
> >> Looks like a mere matter of implementation, we appear to have figured
> >> out the IDL. 
> > 
> > Attached is a first implementation.  I need get the client testsuite for
> > this runnning as part of 'make test' before I add it to the tree.
> 
> Hi Andrew,
> 
> please note that a special bind_guid in the DsBind() call is needed,
> when you try a DsWriteAccountSPN(), and we should match the error code
> when not getting the correct bind_guid.

Yeah, there is a fair bit more work to do, particularly like mapping
error codes.  I've put in my initial implementation, as it seems to pass
our DRSUAPI torture test.  

This is clearly something that needs windows client testing.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061117/f3cf4d7e/attachment.bin


More information about the samba-technical mailing list