Kerberos Ticket Forwarding Patch/Update (3.2)

Derrick Schommer d.schommer at f5.com
Thu Jul 31 03:32:50 GMT 2008


Andrew,

I'm looking into the gss API, honestly, I've never used them before so there
is a bit of a learning curve, there seems to be no great documentation to
build a gss security context with a GSS Checksum. I think I get the
"theory," I'm just struggling on time to build it, as I'm currently wearing
"many hats" here and trying to get this through along with other internal
work. Currently, I'm reading the header files and the samba sources to see
if I can build a GSS API checksum in the context rather than my silly gss
checksum structure.

If you've got any GSS-API guru's that can tell me how to (or show me how to)
take my silly GSS checksum "hack" and build it into the real gss API I'd
love to learn. I'm going to try my hand at it this week, I hope, before I
give in and just little-endian byte order my field values and say it
works...

I've not worked with the code I wrote in this patch (or kerberos) for about
three years, so I'm a bit out of practice. I'm a stickler for doing it
right, so I really want to strive to make it perfect. If that means
submitting something that works today and cleaning it up in a future
release, I'd rather do that than give you guys something you think isn't on
par with a samba code drop.

Derrick



On 7/30/08 9:12 PM, "Andrew Bartlett" <abartlet at samba.org> wrote:

> On Fri, 2008-07-25 at 15:14 -0400, Derrick Schommer wrote:
>> Here is the update with C-style comment fixes for 3.2 for the Kerberos
>> update and the gss_init() updated to have the C_DELEGAT flag enabled.
> 
> I still think it is silly to be extending Samba3's mini-GSSAPI like
> this, but the change to make it just use real GSSAPI is a more difficult
> patch. 
> 
> Can you please test this against Samba4 when you are done?  We have an
> active implementation of a CIFS proxy using GSSAPI forwarding, and it
> would be unfortunate to have Samba3 code out there that does not use it.
> 
> Andrew Bartlett



More information about the samba-technical mailing list