[PATCH] support for kerberos in plugin DC code

Andrew Bartlett abartlet at samba.org
Fri Jul 29 16:30:40 MDT 2011

On Fri, 2011-07-29 at 17:09 +0200, Stefan (metze) Metzmacher wrote:
> >> I'd like you to give quite some time to review and decide if it is ok.
> >> I have been opposed on introducing gensec in s3 for a few reasons. One
> >> is dependencies, the other is that IIRC gensec does not create new event
> >> loops bu allows nesting of loops. That is something too dangerous for
> >> the file server imho.
> > 
> > Yes, this needs a lot of review, I hope to get some time in the next days.
> Here're my first result, but I'll do more review on monday:
> - please keep the prototype of gensec_socket_init() and
>   dcerpc_schannel_creds() under source4. Maybe others too.

OK.  I'll see if I can find a more appropriate place for these

> - In s3-auth Use else if in do_map_to_guest_server_info use:
>   return make_server_info_guest();
>   instead of status = make_server_info_guest()

Sure, I can change that.  It is amazing how much comment this poor
little function (copied unchanged from sesssetup.c) got :-)

(Tridge asked for the else if)

> - please change gensec_session_info() to take an explict memory context
>   from the caller before using it in auth_ntlmssp_steal_session_info()

I'll check the reasoning for the original design pattern and see what I
can do.

>   BTW: Why does auth_ntlmssp_steal_session_info have 'steal' in its name?

It has steal in it's name because I was specifically asked to put steal
in it's name in the review of an earlier patch series. 

> - In s3-ntlmssp Remove rpccli_get_pwd_hash and auth_ntlmssp_get_nt_hash
>   please remove the empty lines after calling cli_get_session_key().
> - In gensec: Don't keep a second copy of the auth4_context in
> gensec_ntlmssp_state
>   wouldn't it be better to remove it from gensec_security?
>   gensec_security should become a private structure in the end
>   (hopefully renamed to gensec_session...)

GENSEC requires the auth4_context for the NTLMSSP backend in Samba4, and
it provides function pointers for generation of the session_info in all
Samba4 backends.  Doing so via a context on gensec_security avoids a
number of dependency loops that would otherwise exist, and allows the
auth4_context to be specified before the specific mechanism is

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list