[linux-cifs-client] [PATCH 0/5] cifs: add support for MSKRB5 authentication

Jeff Layton jlayton at redhat.com
Tue Aug 19 20:49:55 GMT 2008

On Mon, 18 Aug 2008 15:41:04 -0400
Jeff Layton <jlayton at redhat.com> wrote:

> We've now had support for some time for "regular" KRB5 authentication,
> but there are some servers that only support the Microsoft KRB5
> auth flavor. This patch adds support for that auth flavor to Linux CIFS.
> The main change is that the "mechListMIC" string is now parsed out of
> the SPNEGO reply from the server. We then pass that to userspace as
> part of the upcall string. The upcall program then can use that info
> to build a SPNEGO blob for MSKRB5 authentication.
> Igor Mammedov already has a patch that adds this support to the
> upcall program, and I can confirm from network captures that I can
> successfully authenticate to a Win2k3 server using MSKRB5.
> I'll plan to commit his cifs.upcall patch if this approach looks OK.

As Steve and I discussed on #samba-technical today, it turns out that
all of this parsing of the mechListMIC is unnecessary. The *only*
difference between the KRB5 and MSKRB5 is the OID used. They are
exactly the same otherwise. Supposedly, this was a bug in win2k and for
compatibility reasons, later windows versions generally send this broken
OID first.

So it turns out that we really only need patch 5 in this set, though
patch 1 is also a good cleanup. Steve has taken those in. I've respun
the cifs.upcall patch and will be sending it out soon. 

Jeff Layton <jlayton at redhat.com>

More information about the samba-technical mailing list