NTLMSSP and GENSEC
Andrew Bartlett
abartlet at samba.org
Tue Oct 11 17:49:45 MDT 2011
Metze,
At SDC I showed you my work to have the auth_ntlmssp code in
source3/auth implement a gensec module, to allow gensec functions to be
called, via the auth_ntlmssp wrapper.
http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-auth-gensec-module-2
I've got this patch set almost working, but wanted to point you at it in
case it assists your work. I'll continue to determine the remaining
test failures in the meantime. (The perl/autogen.sh issue I mention in
the other thread also remains to be dealt with).
I also wanted to give you a heads-up as to my plans from here, to move
this from 'an interesting technical change' to a crucial part of the
work we were discussing to create a common client library, and a common
client/server smb encryption routine.
The next steps I see are:
- to merge the NTLMSSP client code into a gensec module, adding in the
winbind hook for cached credentials
- to create a common ntlmssp client gensec module
- to use the common ntlmssp gensec module via the auth_ntlmssp wrapper
(ie implementing all the calls in terms of gensec)
- Investigate providing the event context as an argument to
gensec_start_mech_by*() and gensec_update(), rather than
gensec_*_init().
- to unwrap the auth_ntlmssp wrapper (ie, have the callers, client and
then server call gensec directly)
This will then get us to a state where the source3/libsmb/smb_seal.c smb
encryption routine simply operates on a struct gensec_security, and can
be the core of a common client library.
Naturally, I'll post any changes to the s3 code to the list for review
and keep you updated as I move these ideas into actual working code.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list