[PATCH] Generalise auth_ntlmssp in s3

Andrew Bartlett abartlet at samba.org
Thu Dec 22 14:27:05 MST 2011

On Thu, 2011-12-22 at 15:52 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,

> > The SPNEGO code certainly is the biggest challenge here.  Once we get
> > the kerberos code behind GENSEC, I would like to experiment with using
> > the Samba4 SPNEGO code, as it already knows about signing the
> > mechListMIC and can handle arbitrary modules.  We could pass in the
> > possible modules via the gensec_settings parameter. 
> Yes, but the s4 spnego doesn't support the fragmentation stuff
> of [MS-SPNG] yet, but it shouldn't be to hard to add...

Indeed, and it must be added anyway for the AD DC case.  I guess we will
need to extend GENSEC with an indication of the maximum negotiation
packet size, with say gensec_set_max_update_size().

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list