[PATCH] Generalise auth_ntlmssp in s3

Stefan (metze) Metzmacher metze at samba.org
Thu Dec 22 05:44:50 MST 2011

Hi Andrew,

> This patch series generalises the auth_ntlmssp code into a more generic
> infrastructure, with the aim to have GSSAPI handled via GENSEC in the
> smb sealing, rpc server and eventually session setup code.  
> The patches so far are just the start, but take a very measured, one
> small change at a time approach without intentional behaviour change,
> and are at: 
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec

Thanks! I plan to sign-off and push this too.

> Handling GSSAPI via GENSEC is important in order to finish the s3/s4
> integration efforts, so that the spoolss server is available with GSSAPI
> authentication in such a combined DC build.  
> To achieve that, I will first wish to build a gensec wrapper for the
> 'gse' layer currently in use.  Once this works, the existing hooks will
> simply redirect to the s4 gensec modules when in the AD server mode as
> they already do for NTLMSSP.
> This will also simplify the smb sealing code (which will then only deal
> with gensec), and in the longer term allow us to use real GSSAPI for
> session setup handling (rather than the current fake GSSAPI). 

It would be really nice if could hide most of the
source3/smbd/sessetup.c spnego code
behind a gensec backend. I think the chunk fragmentation for large krb5
should be handled inside the module.

I'm currently trying to change the register_*_vuid code from
to use a smbXsrv_session structure, which can be used for smb1 and smb2
as a replacement for the current struct smbd_smb2_session.

> Merry Christmas!



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111222/58854c36/attachment.pgp>

More information about the samba-technical mailing list