NTLMSSP and GENSEC

Stefan (metze) Metzmacher metze at samba.org
Mon Oct 17 03:00:41 MDT 2011


Hi Andrew,

>> I've fixed some formatting and fixed the autoconf build
>> (auth/ntlmssp/gensec_ntlmssp.c was missing)
>> http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth
>>
>> Can you take a look at the TODO's?
>> http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=130432987826662c2187e7a88ad9a2d9dda0cd1e
>> Why do we downgrade to the next spnego mech on LOGON_FAILURE?
>>
>> I think the backend has to decide that and convert LOGON_FAILURE into
>> NT_STATUS_INVALID_PARAMETER if it's started as a subcontext.
> 
> Before the start and update methods were combined, when a mech failed to
> start for any reason, it would be skipped.  This just attempts to catch
> the common cases - it may be that the server appears to support
> kerberos, but that we are trying to log in with a local user.

Shouldn't we be able to catch that by looking at the domain of the
client credentials?

> We can't change the error code, because if kerberos was forced, then we
> really want to return LOGON_FAILURE back to the user.

Maybe we can use NT_STATUS_INVALID_LOGON_TYPE,
NT_STATUS_LOGON_TYPE_NOT_GRANTED
or NT_STATUS_INSUFFICIENT_LOGON_INFO to indicate the mech can't be used.

I think LOGON_FAILURE should be handled as final error, as it's likely
that we used
the wrong password and increased the bad password count. We should avoid
doing that twice without asking the user for the correct password before.

> I'm quite open to alternate patterns or suggestions - perhaps we should
> always fall back to the next mechanism on update() failure, like we did
> for start()?

No.

>> Not related to your code, but can you have a look at
>> http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=ff36902f17caff35e29dc9ab71df80910f1f34df
>> I think we should add the unix id of the user to the group array if
>> it's mapped with WBC_ID_TYPE_BOTH.
> 
> I guess that's reasonable.  We should ensure winbindd answers for id ->
> name lookups for that, and that when an ACL is set, we set permissions
> for the group id, not the user id where possible.

Yes, that's the next step.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111017/00789912/attachment.pgp>


More information about the samba-technical mailing list