[PATCH] Proposed merge of some NTLMSSP crypto

Andrew Bartlett abartlet at samba.org
Wed Dec 16 15:41:59 MST 2009


On Wed, 2009-12-09 at 00:41 +1100, Andrew Bartlett wrote:
> In my git tree 'ntlmssp-merge-wip' I have the current state of my
> efforts to merge the NTLMSSP code between Samba3 and Samba4.
> 
> My hope here is to reduce the duplication of the crypto code, and make
> an eventual full merge of this important subsystem easier.
> 
> git://git.samba.org/abartlet/samba.git ntlmssp-merge-wip
> 
> The tests seem to pass in Samba4, but I still need to look into some
> Samba3 issues.  It will be important to test with Windows clients too,
> and any assistance in that area, particularly against Samba3 will be
> most appreciated.

> Any review or testing most appreciated,

I've updated my current work in progress in that branch.  I've made much
more progress than I ever expected - in addition to the state of the
merge there, I've fixed bugs that caused NTLM2 to fail in Samba3's
server, and merged the whole server-side NTLMSSP stack.

I've also merged the initial packet on the client.

The initialisation of the subsystem remains in each branch, allowing
function pointers to the separate auth subsystems to be supplied. 

Despite my earlier comments, it does now touch the area of 'async' in
that it calls to the syncrounous 'check password' routines provided by
Samba3 and Samba4.  However, it preserves the work metze did in Samba4
to break up the 'before' and 'after' portions, which should make pushing
some of this into a callback much simpler, when required. 

The patch series at the above GIT URL does however have the following
attributes, so will almost certainly require much massaging to be
acceptable:
 - It has numerous whitespace errors (running the rebase with
--whitespace=fix caused problems)
 - It does not fully compile in both branches after every commit
 - It would certainly not fully pass 'make test' after every commit

It does however compile as a whole, and the results from 'make test' in
Samba3 pass and Samba4 looks promising so far. 

What I would like is a review of the code, the approach and and
interfaces, as well as useful suggestions about how we can get this code
acceptable to be commited to 'master', once it's further tested.

Kai has done some work already on getting the previous set of patches
into more sensible chunks, and we could either follow up on that, or
perhaps merge it in larger parts, now that I've settled on a much less
invasive API, and allow GIT to show that ntlmssp.h has actually been
copied from the separate implementations. 

I hope that in merging this code, and the eventual merge of the
remainder of the NTLMSSP client, we can eventually get to merging
GENSEC, knowing that 2 of the 3 primary authentication mechanisms in
Samba (NTLMSSP and NETLOGON schannel) use common code for their basic
operation.

It is a long road to return to a common codebase, but one that I hope
this patch at least provides a roadmap to. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091217/1ca9a706/attachment.pgp>


More information about the samba-technical mailing list