NTLMSSP and GENSEC
abartlet at samba.org
Sat Oct 15 00:52:40 MDT 2011
On Wed, 2011-10-12 at 21:03 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> > At SDC I showed you my work to have the auth_ntlmssp code in
> > source3/auth implement a gensec module, to allow gensec functions to be
> > called, via the auth_ntlmssp wrapper.
> > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-auth-gensec-module-2
> I'm busy currently, but I have a few fixes on top here:
Thanks, I've incorporated these changes, and finally chased down the
last issue breaking 'make test'. (I've added a number of patches the
make this much more obvious if we ever have it happen again).
> > I've got this patch set almost working, but wanted to point you at it in
> > case it assists your work. I'll continue to determine the remaining
> > test failures in the meantime. (The perl/autogen.sh issue I mention in
> > the other thread also remains to be dealt with).
> > I also wanted to give you a heads-up as to my plans from here, to move
> > this from 'an interesting technical change' to a crucial part of the
> > work we were discussing to create a common client library, and a common
> > client/server smb encryption routine.
> > The next steps I see are:
> > - to merge the NTLMSSP client code into a gensec module, adding in the
> > winbind hook for cached credentials
> > - to create a common ntlmssp client gensec module
> > - to use the common ntlmssp gensec module via the auth_ntlmssp wrapper
> > (ie implementing all the calls in terms of gensec)
> > - Investigate providing the event context as an argument to
> > gensec_start_mech_by*() and gensec_update(), rather than
> > gensec_*_init().
> I think only gensec_update*() should use event driven stuff.
For now, the module does not use any event context, so I've made no
change here yet.
> > - to unwrap the auth_ntlmssp wrapper (ie, have the callers, client and
> > then server call gensec directly)
> > This will then get us to a state where the source3/libsmb/smb_seal.c smb
> > encryption routine simply operates on a struct gensec_security, and can
> > be the core of a common client library.
> That would help me a lot to bring my smb1/2 client library upstream.
> > Naturally, I'll post any changes to the s3 code to the list for review
> > and keep you updated as I move these ideas into actual working code.
Please let me know how you wish to proceed from here as I've updated the
branch, and will move on to the client code next. My hope is to
autobuild this early next week.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical