Samba3's fake GSSAPI and FreeBSD

Andrew Bartlett abartlet at samba.org
Sun Sep 12 17:56:35 MDT 2010 

On Sun, 2010-09-12 at 09:24 -0400, simo wrote:
> On Sun, 2010-09-12 at 16:08 +1000, Andrew Bartlett wrote:
> > On Sat, 2010-09-11 at 18:59 -0700, Jeremy Allison wrote:
> > > On Sat, Sep 11, 2010 at 07:01:16PM +1000, Andrew Bartlett wrote:
> > > 
> > > > Samba4 will cope with the previous behaviour (a normal krb5 checksum
> > > > without a gssapi channel binding), and with a full gssapi channel
> > > > binding, but not this particular combination.
> > > 
> > > Unfortunately Windows doesn't, and requres the checksum.
> > 
> > That's interesting - what I meant is that Windows and Samba4 (Heimdal)
> > accepted the 3.0 behaviour, where we had the normal krb5 checksum type,
> > and no data (because it's not gssapi, so no bindings to sum).  The
> > variations after that I'm less clear on. 
> > 
> > > > As this is all well
> > > > outside real GSSAPI behaviour, I've put this change in to keep
> > > > everything consistent.
> > > > 
> > > > http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=3b4db34011f06fb785153fa9070fb1da9d8f5c78
> > > 
> > > Ok, that makes sense. Please apply to v3-6-test as well please.
> > 
> > Sure.  
> > 
> > > > Perhaps we should perhaps have two simple defines:  HAVE_KRB5 and
> > > > HAVE_MODERN_KRB5, with a switch between the two rather than testing for
> > > > each function, and getting too many combinations.  We just can't test
> > > > the number of variations at the moment.  
> > > > 
> > > > In the long term, I very much look forward to replacing this with real
> > > > GSSAPI at some point, and removing much of this complexity.
> > > 
> > > Sure, Simo is working on this at the moment.
> > 
> > Simo,
> > 
> > I would like to work with you on this, if you are able. 
> 
> If you want to review the work being done in my msrpc branch, feel free
> to send comments. I am going to push it very soon, as most of my test
> scenarios sem to pass.

This looks like a very useful set of changes!  It also looks to me like
you have removed much of the DCE/RPC specific stuff from the
authentication code here, and so we have the hope that we could use the
same code in the SASL and CIFS servers too. 

Is the client code here too?  It's not very clear from the commits.

I'm keen to extend this - is there a particular area I could work on
that would help, without getting in your way?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100913/74e56a96/attachment.pgp>

More information about the samba-technical mailing list