using GSSAPI in the smbd file server

[Andrew Bartlett]

On Sun, 2011-12-11 at 23:38 +1100, Luke Howard wrote:
> > The big tasks like reconciling (if not merging) loadparm, and smaller
> > but still important details such as handling GSSAPI secured connections
> > to s3 rpc pipes are all the same regardless of the 'grand scheme' of how
> > the smbd code is launched. 
> 
> 
> Support for either the Heimdal or MIT GSS-API library in the file server would be very useful. I know I didn't come through with the mechanism-agnostic integration, but it is something I want to look at again next year. 

When used as an AD DC, GSSAPI is used in the smbd file server session
setup:  The same GENSEC modules are used as in the AD DC, via a hook in
auth_samba4.

When we are not an AD DC, the old 'psudo-GSSAPI' is still used for
session setup.  In order to be mechanism agnostic, this will need to be
upgraded to use GSSAPI full time, as well as upgrading the SPNEGO code
(probably including the mech list signature stuff)

The first step towards this would be to make the GSSAPI code in the s3
RPC server into a GENSEC module (in much same way the s3 NTLMSSP code
was) and to use it across all of smbd (rpc server, smb sealing and
session setup). 

In short, this is not a small task, but we are a little closer than we
were when you looked at this back at SambaXP.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org