[PATCH] support for kerberos in plugin DC code

Stefan (metze) Metzmacher metze at samba.org
Wed Jul 27 08:33:55 MDT 2011


Am 27.07.2011 14:19, schrieb simo:
> On Wed, 2011-07-27 at 14:31 +1000, tridge at samba.org wrote:
>> Hi All,
>>
>> Andrew and I have been working towards making the combination of the
>> s3 file server and s4 DC code more functional. One of the big missing
>> pieces in this was kerberos - it was not possible to use kerberos
>> authenticated connections in a s4 server when using the s3 file server
>> code, regardless of whether the franky or builtin approach is used.
>>
>> The reason for this is that the s3 authentication layer doesn't
>> support AES tickets, and whether AES is used is a property of the
>> join, not a property of the connection. So when s4 joins a domain
>> (either as a DC or as an ordinary member), it will set itself up as
>> supporting AES, but when the s3 auth code then tried to negotiate a
>> kerberos based connection with a client it could not handle the
>> resulting AES tickets.
> 
> As far as I remember this is only because we explicitly set the
> supported set of enctype to DES and RC4 and exclude AES.
> IIRC it would be very easy to just allow the use of AES keys as well by
> changing that list.

It's not so simple.
The s3 krb5 does not do mutual authentification correctly,
which is required to get the correct session key for smb signing.

>> The patches are in the s3-auth-gensec in git://git.samba.org/abartlet/samba.git
>>
>> I've looked at these changes pretty carefully and I'm happy that they
>> are OK, so we plan on pushing these soon if there are no objections. I
>> think this is an important step towards releasing Samba 4.0 with a
>> fully functional file server based on the current s3 file server code.
> 
> I'd like you to give quite some time to review and decide if it is ok.
> I have been opposed on introducing gensec in s3 for a few reasons. One
> is dependencies, the other is that IIRC gensec does not create new event
> loops bu allows nesting of loops. That is something too dangerous for
> the file server imho.

Yes, this needs a lot of review, I hope to get some time in the next days.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110727/a52949aa/attachment.pgp>


More information about the samba-technical mailing list