using GSSAPI in the smbd file server
abartlet at samba.org
Sun Dec 11 15:19:04 MST 2011
On Sun, 2011-12-11 at 23:38 +1100, Luke Howard wrote:
> > The big tasks like reconciling (if not merging) loadparm, and smaller
> > but still important details such as handling GSSAPI secured connections
> > to s3 rpc pipes are all the same regardless of the 'grand scheme' of how
> > the smbd code is launched.
> Support for either the Heimdal or MIT GSS-API library in the file server would be very useful. I know I didn't come through with the mechanism-agnostic integration, but it is something I want to look at again next year.
When used as an AD DC, GSSAPI is used in the smbd file server session
setup: The same GENSEC modules are used as in the AD DC, via a hook in
When we are not an AD DC, the old 'psudo-GSSAPI' is still used for
session setup. In order to be mechanism agnostic, this will need to be
upgraded to use GSSAPI full time, as well as upgrading the SPNEGO code
(probably including the mech list signature stuff)
The first step towards this would be to make the GSSAPI code in the s3
RPC server into a GENSEC module (in much same way the s3 NTLMSSP code
was) and to use it across all of smbd (rpc server, smb sealing and
In short, this is not a small task, but we are a little closer than we
were when you looked at this back at SambaXP.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical