[PATCH] Generalise auth_ntlmssp in s3

Stefan (metze) Metzmacher metze at samba.org
Thu Dec 22 07:52:42 MST 2011

Hi Andrew,

>>> This patch series generalises the auth_ntlmssp code into a more generic
>>> infrastructure, with the aim to have GSSAPI handled via GENSEC in the
>>> smb sealing, rpc server and eventually session setup code.  
>>> The patches so far are just the start, but take a very measured, one
>>> small change at a time approach without intentional behaviour change,
>>> and are at: 
>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
>> Thanks! I plan to sign-off and push this too.
>>> Handling GSSAPI via GENSEC is important in order to finish the s3/s4
>>> integration efforts, so that the spoolss server is available with GSSAPI
>>> authentication in such a combined DC build.  
>>> To achieve that, I will first wish to build a gensec wrapper for the
>>> 'gse' layer currently in use.  Once this works, the existing hooks will
>>> simply redirect to the s4 gensec modules when in the AD server mode as
>>> they already do for NTLMSSP.
>>> This will also simplify the smb sealing code (which will then only deal
>>> with gensec), and in the longer term allow us to use real GSSAPI for
>>> session setup handling (rather than the current fake GSSAPI). 
>> It would be really nice if could hide most of the
>> source3/smbd/sessetup.c spnego code
>> behind a gensec backend. I think the chunk fragmentation for large krb5
>> blobs
>> should be handled inside the module.
> The SPNEGO code certainly is the biggest challenge here.  Once we get
> the kerberos code behind GENSEC, I would like to experiment with using
> the Samba4 SPNEGO code, as it already knows about signing the
> mechListMIC and can handle arbitrary modules.  We could pass in the
> possible modules via the gensec_settings parameter. 

Yes, but the s4 spnego doesn't support the fragmentation stuff
of [MS-SPNG] yet, but it shouldn't be to hard to add...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111222/f8bcc044/attachment.pgp>

More information about the samba-technical mailing list