Samba3's fake GSSAPI and FreeBSD
idra at samba.org
Sun Sep 12 07:24:40 MDT 2010
On Sun, 2010-09-12 at 16:08 +1000, Andrew Bartlett wrote:
> On Sat, 2010-09-11 at 18:59 -0700, Jeremy Allison wrote:
> > On Sat, Sep 11, 2010 at 07:01:16PM +1000, Andrew Bartlett wrote:
> > > Samba4 will cope with the previous behaviour (a normal krb5 checksum
> > > without a gssapi channel binding), and with a full gssapi channel
> > > binding, but not this particular combination.
> > Unfortunately Windows doesn't, and requres the checksum.
> That's interesting - what I meant is that Windows and Samba4 (Heimdal)
> accepted the 3.0 behaviour, where we had the normal krb5 checksum type,
> and no data (because it's not gssapi, so no bindings to sum). The
> variations after that I'm less clear on.
> > > As this is all well
> > > outside real GSSAPI behaviour, I've put this change in to keep
> > > everything consistent.
> > >
> > > http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=3b4db34011f06fb785153fa9070fb1da9d8f5c78
> > Ok, that makes sense. Please apply to v3-6-test as well please.
> > > Perhaps we should perhaps have two simple defines: HAVE_KRB5 and
> > > HAVE_MODERN_KRB5, with a switch between the two rather than testing for
> > > each function, and getting too many combinations. We just can't test
> > > the number of variations at the moment.
> > >
> > > In the long term, I very much look forward to replacing this with real
> > > GSSAPI at some point, and removing much of this complexity.
> > Sure, Simo is working on this at the moment.
> I would like to work with you on this, if you are able.
If you want to review the work being done in my msrpc branch, feel free
to send comments. I am going to push it very soon, as most of my test
scenarios sem to pass.
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical