[PATCH SET] Refactoring of auth_ntlmssp

Andrew Bartlett abartlet at samba.org
Sun Jul 18 01:10:22 MDT 2010

On Sat, 2010-07-17 at 22:34 -0400, simo wrote:
> On Sun, 2010-07-18 at 08:23 +1000, Andrew Bartlett wrote:
> > On Sat, 2010-07-17 at 15:08 -0400, simo wrote:
> > > Hello,
> > > I have refactored a bit the way we deal with auth_ntlmssp in this tree:
> > > http://git.samba.org/?p=idra/samba.git;a=shortlog;h=refs/heads/ntlmssp
> > > 
> > > The aim was to be able to always use ntlmssp_state instead of a mix of
> > > ntlmss_state/auth_ntlmssp_state so that I can proceed with cleaning up
> > > cli_pipe.c/srv_pipe.c and make more code common between them. The main
> > > obstacle was the use of auth_ntlmssp_state vs ntlmssp_state.
> > > 
> > > If there are no objections I'd like to push the top most 15 patches to
> > > master. It passes make test and make selftest.
> > 
> > Thanks for looking into this.  I'll look at it early next week.  
> > 
> > However, my main concern (and perhaps it isn't warranted, which is why
> > I'll look at it properly next week) is that currently I can replace
> > auth_ntlmssp_state with a GENSEC wrapper in s3compat.  Without the
> > intermediate structure of a different name, it may become much more
> > difficult to make this change.   (We had a similar problem when trying
> > to merge the NTLMSSP code late last year, and had to re-introduce a
> > wrapper structure in GENSEC). 
> Sorry,
> but I need this change to go on with my other work in the msrpc branch.


You asked me for my views on this, and I've asked for some time to look
over the problem.  I would ask that you hold off on putting this code
in, until I can look over the changes fully, and we come to an
acceptable resolution. 

> So unless the code is factually wrong I would still go on with this
> change. Once I will be done with the changes I am making it will be a
> simple matter replacing the rpc wrappers, as for the smbd code there
> very few places where ntlmssp_state is used I am sure it can be dealt
> with.
> Note that auth_ntlmssp_state as a structure still exist, it is simply
> concealed in ntlmssp_state.

I did consider this a little while out today, and wondered if we could
do the reverse:  Always use a wrapping structure (called
auth_ntlmssp_state or otherwise), that would not conflict in name with

Please do not make this change until we can work out a good way to both
address your requirements, and make the merge for Samba 4.0 as easy as
possible.  Quite possibly your change is perfectly sensible, I'll let
you know in the next day or so, if you would give me that opportunity. 


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100718/bf3a9dde/attachment.pgp>

More information about the samba-technical mailing list