[PATCH] Generalise auth_ntlmssp in s3
Stefan (metze) Metzmacher
metze at samba.org
Thu Dec 22 07:52:42 MST 2011
>>> This patch series generalises the auth_ntlmssp code into a more generic
>>> infrastructure, with the aim to have GSSAPI handled via GENSEC in the
>>> smb sealing, rpc server and eventually session setup code.
>>> The patches so far are just the start, but take a very measured, one
>>> small change at a time approach without intentional behaviour change,
>>> and are at:
>> Thanks! I plan to sign-off and push this too.
>>> Handling GSSAPI via GENSEC is important in order to finish the s3/s4
>>> integration efforts, so that the spoolss server is available with GSSAPI
>>> authentication in such a combined DC build.
>>> To achieve that, I will first wish to build a gensec wrapper for the
>>> 'gse' layer currently in use. Once this works, the existing hooks will
>>> simply redirect to the s4 gensec modules when in the AD server mode as
>>> they already do for NTLMSSP.
>>> This will also simplify the smb sealing code (which will then only deal
>>> with gensec), and in the longer term allow us to use real GSSAPI for
>>> session setup handling (rather than the current fake GSSAPI).
>> It would be really nice if could hide most of the
>> source3/smbd/sessetup.c spnego code
>> behind a gensec backend. I think the chunk fragmentation for large krb5
>> should be handled inside the module.
> The SPNEGO code certainly is the biggest challenge here. Once we get
> the kerberos code behind GENSEC, I would like to experiment with using
> the Samba4 SPNEGO code, as it already knows about signing the
> mechListMIC and can handle arbitrary modules. We could pass in the
> possible modules via the gensec_settings parameter.
Yes, but the s4 spnego doesn't support the fragmentation stuff
of [MS-SPNG] yet, but it shouldn't be to hard to add...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 262 bytes
Desc: OpenPGP digital signature
More information about the samba-technical