Samba3's fake GSSAPI and FreeBSD
Andrew Bartlett
abartlet at samba.org
Sun Sep 12 00:08:05 MDT 2010
On Sat, 2010-09-11 at 18:59 -0700, Jeremy Allison wrote:
> On Sat, Sep 11, 2010 at 07:01:16PM +1000, Andrew Bartlett wrote:
>
> > Samba4 will cope with the previous behaviour (a normal krb5 checksum
> > without a gssapi channel binding), and with a full gssapi channel
> > binding, but not this particular combination.
>
> Unfortunately Windows doesn't, and requres the checksum.
That's interesting - what I meant is that Windows and Samba4 (Heimdal)
accepted the 3.0 behaviour, where we had the normal krb5 checksum type,
and no data (because it's not gssapi, so no bindings to sum). The
variations after that I'm less clear on.
> > As this is all well
> > outside real GSSAPI behaviour, I've put this change in to keep
> > everything consistent.
> >
> > http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=3b4db34011f06fb785153fa9070fb1da9d8f5c78
>
> Ok, that makes sense. Please apply to v3-6-test as well please.
Sure.
> > Perhaps we should perhaps have two simple defines: HAVE_KRB5 and
> > HAVE_MODERN_KRB5, with a switch between the two rather than testing for
> > each function, and getting too many combinations. We just can't test
> > the number of variations at the moment.
> >
> > In the long term, I very much look forward to replacing this with real
> > GSSAPI at some point, and removing much of this complexity.
>
> Sure, Simo is working on this at the moment.
Simo,
I would like to work with you on this, if you are able.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100912/0b5bdbfd/attachment.pgp>
More information about the samba-technical
mailing list