using GSSAPI in the smbd file server

Andrew Bartlett abartlet at
Sun Dec 11 15:19:04 MST 2011

On Sun, 2011-12-11 at 23:38 +1100, Luke Howard wrote:
> > The big tasks like reconciling (if not merging) loadparm, and smaller
> > but still important details such as handling GSSAPI secured connections
> > to s3 rpc pipes are all the same regardless of the 'grand scheme' of how
> > the smbd code is launched. 
> Support for either the Heimdal or MIT GSS-API library in the file server would be very useful. I know I didn't come through with the mechanism-agnostic integration, but it is something I want to look at again next year. 

When used as an AD DC, GSSAPI is used in the smbd file server session
setup:  The same GENSEC modules are used as in the AD DC, via a hook in

When we are not an AD DC, the old 'psudo-GSSAPI' is still used for
session setup.  In order to be mechanism agnostic, this will need to be
upgraded to use GSSAPI full time, as well as upgrading the SPNEGO code
(probably including the mech list signature stuff)

The first step towards this would be to make the GSSAPI code in the s3
RPC server into a GENSEC module (in much same way the s3 NTLMSSP code
was) and to use it across all of smbd (rpc server, smb sealing and
session setup). 

In short, this is not a small task, but we are a little closer than we
were when you looked at this back at SambaXP.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list