NTLMSSP and GENSEC

Stefan (metze) Metzmacher metze at samba.org
Wed Oct 12 13:03:15 MDT 2011


Hi Andrew,

> At SDC I showed you my work to have the auth_ntlmssp code in
> source3/auth implement a gensec module, to allow gensec functions to be
> called, via the auth_ntlmssp wrapper.  
> 
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-auth-gensec-module-2

I'm busy currently, but I have a few fixes on top here:
http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth

> I've got this patch set almost working, but wanted to point you at it in
> case it assists your work.  I'll continue to determine the remaining
> test failures in the meantime.  (The perl/autogen.sh issue I mention in
> the other thread also remains to be dealt with).
> 
> I also wanted to give you a heads-up as to my plans from here, to move
> this from 'an interesting technical change' to a crucial part of the
> work we were discussing to create a common client library, and a common
> client/server smb encryption routine.
> 
> The next steps I see are:
>  - to merge the NTLMSSP client code into a gensec module, adding in the
> winbind hook for cached credentials
>  - to create a common ntlmssp client gensec module
>  - to use the common ntlmssp gensec module via the auth_ntlmssp wrapper
> (ie implementing all the calls in terms of gensec)
>  - Investigate providing the event context as an argument to
> gensec_start_mech_by*() and gensec_update(), rather than
> gensec_*_init().

I think only gensec_update*() should use event driven stuff.

>  - to unwrap the auth_ntlmssp wrapper (ie, have the callers, client and
> then server call gensec directly)
> 
> This will then get us to a state where the source3/libsmb/smb_seal.c smb
> encryption routine simply operates on a struct gensec_security, and can
> be the core of a common client library.

That would help me a lot to bring my smb1/2 client library upstream.

> Naturally, I'll post any changes to the s3 code to the list for review
> and keep you updated as I move these ideas into actual working code.

Thanks!
metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111012/863bb86e/attachment.pgp>


More information about the samba-technical mailing list