[PATCH] Re: Fix up NET-API-BECOME-DC and repl_meta_data

Andrew Bartlett abartlet at samba.org
Wed Jan 23 04:18:53 GMT 2008 

On Tue, 2008-01-22 at 12:45 +0100, Stefan (metze) Metzmacher wrote:
> Andrew Bartlett schrieb:
> > On Tue, 2008-01-22 at 12:16 +0100, Stefan (metze) Metzmacher wrote:
> >> Andrew,
> >>
> >> please commit this in small pieces using 'git add -i'
> >> and check with 'git diff --cached' what is selected for the next
> >> commit.
> > 
> >>>> diff --git a/source/libnet/libnet_become_dc.c b/source/libnet/libnet_become_dc.c
> >>>> index 862631f..c9185c7 100644
> >>>> --- a/source/libnet/libnet_become_dc.c
> >>>> +++ b/source/libnet/libnet_become_dc.c
> >>>> @@ -1514,10 +1514,10 @@ static void becomeDC_drsuapi_connect_send(struct libnet_BecomeDC_state *s,
> >>>>  
> >>>>  	if (!drsuapi->binding) {
> >>>>  		if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", "print", false)) {
> >>>> -			binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,print,seal]", s->source_dsa.dns_name);
> >>>> +			binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[print,seal]", s->source_dsa.dns_name);
> >>>>  			if (composite_nomem(binding_str, c)) return;
> >>>>  		} else {
> >>>> -			binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,seal]", s->source_dsa.dns_name);
> >>>> +			binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[seal]", s->source_dsa.dns_name);
> >>>>  			if (composite_nomem(binding_str, c)) return;
> >>>>  		}
> >>>>  		c->status = dcerpc_parse_binding(s, binding_str, &drsuapi->binding);
> >> Is this change really needed?
> >> We should really use krb5.
> > 
> > For some reason I was having trouble with krb5, so I disabled it on the
> > command line with -kno.  I had to change this to allow that to be
> > honoured. 
> > 
> > I think the correct place to handle this setting is in the credentials
> > subsystem (which reads the -kyes or -kno from the command line). 
> > 
> > We try SPNEGO first, then NTLMSSP as a fallback in the RPC connection
> > code.
> 
> The reason I added this was that I wanted to do the same as windows
> and windows uses the krb5 rpc auth mech (16) and not spnego.

What would you like me to do?  I would like to keep this consistent with
the rest of the code, if possible.  How should we consistently indicate
the use of auth type 16 (rather than SPNEGO, possibly restricted to
kerberos)?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080123/8c4d115a/attachment.bin

More information about the samba-technical mailing list