[PATCH] Generalise auth_ntlmssp in s3
abartlet at samba.org
Thu Dec 22 14:27:05 MST 2011
On Thu, 2011-12-22 at 15:52 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> > The SPNEGO code certainly is the biggest challenge here. Once we get
> > the kerberos code behind GENSEC, I would like to experiment with using
> > the Samba4 SPNEGO code, as it already knows about signing the
> > mechListMIC and can handle arbitrary modules. We could pass in the
> > possible modules via the gensec_settings parameter.
> Yes, but the s4 spnego doesn't support the fragmentation stuff
> of [MS-SPNG] yet, but it shouldn't be to hard to add...
Indeed, and it must be added anyway for the AD DC case. I guess we will
need to extend GENSEC with an indication of the maximum negotiation
packet size, with say gensec_set_max_update_size().
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical