NTLMSSP and GENSEC

Andrew Bartlett abartlet at samba.org
Wed Oct 19 17:13:23 MDT 2011 

On Wed, 2011-10-19 at 10:17 -0700, Jeremy Allison wrote:
> On Wed, Oct 19, 2011 at 07:00:08PM +1100, Andrew Bartlett wrote:
> > On Wed, 2011-10-19 at 09:03 +1100, Andrew Bartlett wrote:
> > 
> > > 
> > > I've finished the first half of this, and updated the branch.  
> > > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-auth-gensec-module-2
> > > 
> > > The next step is to only keep the struct gensec_security around long
> > > term (as we only ever use that member after auth_ntlmssp_client_start())
> > > 
> > > Thanks for all your patience and review on this.
> > 
> > Metze,
> > 
> > I've now done the final patches you should need for the common smb
> > client lib, updated at the URL above.  I think I'll take a break before
> > I do any more gensec work in s3, to let this settle in.  I do hope to
> > get the last of the ntlmssp client code in common, but it is no longer
> > urgent for your work. 
> > 
> > Jeremy,
> > 
> > You may wish to look carefully at these changes to the smb sealing code:
> > 
> > This patch removes the server-only context:
> > http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=3cc013eb40711ab7250a57dfca8b4ae45da95d98
> > 
> > This patch uses gensec_wrap() and gensec_unwrap().  I'll need to test
> > against an older version of Samba for this change, as any bug here is
> > highly likely to be symmetric:
> > 
> > http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=e15b5c8c36ef46ef3e644168be50e7c56a49baf7
> 
> Ok, took a quick look over and these changes seem fine
> to me (haven't run them though :-).

BTW, I wanted to thank you for taking my advice on the layout of the
NTLMSSP sealed packets.  It was great to be able to just use
gensec_wrap() and gensec_unwrap(), as this will make it much easier to
handle some arbitrary authentication mechanism in the future.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list