[PATCH] Implement GSE as a gensec module for GSSAPI in s3

Andrew Bartlett abartlet at samba.org
Mon Jan 2 04:56:42 MST 2012 

On Tue, 2011-12-27 at 12:07 +1100, Andrew Bartlett wrote:
> On Thu, 2011-12-22 at 13:44 +0100, Stefan (metze) Metzmacher wrote:
> > Hi Andrew,
> > 
> > > This patch series generalises the auth_ntlmssp code into a more generic
> > > infrastructure, with the aim to have GSSAPI handled via GENSEC in the
> > > smb sealing, rpc server and eventually session setup code.  
> > > 
> > > The patches so far are just the start, but take a very measured, one
> > > small change at a time approach without intentional behaviour change,
> > > and are at: 
> > > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
> > 
> > Thanks! I plan to sign-off and push this too.
> 
> Thanks for pushing that.  I've updated the branch with a new set of
> changes.  These follow in the same pattern, making the code more
> generic, but not intentionally changing behaviour.  This set of changes
> introduces a new way to specify the gensec modules list.  
> 
> My hope is that once we make the use of NTLMSSP totally generic (ie,
> just specified with a parameter rather than via dedicated functions), it
> will be much easier to call other modules and even the SPNEGO we
> discussed via the same, tested call stack. 

I've been busy over the break, and again updated the branch.
http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec

The big thing I've been working towards is that with these patches, we
now call into the GSE GSSAPI abstraction layer via GENSEC, rather than
via switch statements in the librpc code. 

Now that librpc handles GSSAPI this way, we should be able to do the
same with the SMB sealing code (with the same 'make NTLMSSP case
generic' pattern) and eventually even handle the session setup code. 

This passes the important 'ktest' tests, and is undergoing a full make
test on sn-devel overnight. 

The remaining task is to write a blackbox test for rpcclient, to ensure
that the client code still works, as the GSSAPI codepath here appears
not to be automatically tested so far. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list