NTLMSSP and GENSEC
Jeremy Allison
jra at samba.org
Wed Oct 19 14:07:36 MDT 2011
On Thu, Oct 20, 2011 at 07:04:57AM +1100, Andrew Bartlett wrote:
> On Wed, 2011-10-19 at 15:53 +0200, Stefan (metze) Metzmacher wrote:
> > Hi Andrew,
> >
> > > I've now done the final patches you should need for the common smb
> > > client lib, updated at the URL above. I think I'll take a break before
> > > I do any more gensec work in s3, to let this settle in. I do hope to
> > > get the last of the ntlmssp client code in common, but it is no longer
> > > urgent for your work.
> >
> > Ok, thanks! I'll work from there and push this to master once I've
> > reviewed it.
> >
> > > Jeremy,
> > >
> > > You may wish to look carefully at these changes to the smb sealing code:
> > >
> > > This patch removes the server-only context:
> > > http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=3cc013eb40711ab7250a57dfca8b4ae45da95d98
> > >
> > > This patch uses gensec_wrap() and gensec_unwrap(). I'll need to test
> > > against an older version of Samba for this change, as any bug here is
> > > highly likely to be symmetric:
> > >
> > > http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=e15b5c8c36ef46ef3e644168be50e7c56a49baf7
> >
> > I think we can use a new (or old bin/smbtorture4) in the autoconf build
> > to verify it work against the old (or new) code in make test.
>
> This particular trick won't work, because smbtorture4 does not have any
> smb encryption functionality (it is an s3 only feature, hence all this
> work to help it be a common feature! :-)
No, I know smbtorture4 won't work - we have separate tests for
working encrypted transport in smbclient. But as you pointed out
this won't catch symmetric bugs - for that I'm intending to test
using an old smbclient manually.
More information about the samba-technical
mailing list