[PATCH] Implement GSE as a gensec module for GSSAPI in s3

Andrew Bartlett abartlet at samba.org
Tue Jan 3 06:46:51 MST 2012 

On Mon, 2012-01-02 at 22:56 +1100, Andrew Bartlett wrote:
> On Tue, 2011-12-27 at 12:07 +1100, Andrew Bartlett wrote:
> > On Thu, 2011-12-22 at 13:44 +0100, Stefan (metze) Metzmacher wrote:
> > > Hi Andrew,
> > > 
> > > > This patch series generalises the auth_ntlmssp code into a more generic
> > > > infrastructure, with the aim to have GSSAPI handled via GENSEC in the
> > > > smb sealing, rpc server and eventually session setup code.  
> > > > 
> > > > The patches so far are just the start, but take a very measured, one
> > > > small change at a time approach without intentional behaviour change,
> > > > and are at: 
> > > > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
> > > 
> > > Thanks! I plan to sign-off and push this too.
> > 
> > Thanks for pushing that.  I've updated the branch with a new set of
> > changes.  These follow in the same pattern, making the code more
> > generic, but not intentionally changing behaviour.  This set of changes
> > introduces a new way to specify the gensec modules list.  
> > 
> > My hope is that once we make the use of NTLMSSP totally generic (ie,
> > just specified with a parameter rather than via dedicated functions), it
> > will be much easier to call other modules and even the SPNEGO we
> > discussed via the same, tested call stack. 
> 
> I've been busy over the break, and again updated the branch.
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
> 
> The big thing I've been working towards is that with these patches, we
> now call into the GSE GSSAPI abstraction layer via GENSEC, rather than
> via switch statements in the librpc code. 
> 
> Now that librpc handles GSSAPI this way, we should be able to do the
> same with the SMB sealing code (with the same 'make NTLMSSP case
> generic' pattern) and eventually even handle the session setup code. 
> 
> This passes the important 'ktest' tests, and is undergoing a full make
> test on sn-devel overnight. 
> 
> The remaining task is to write a blackbox test for rpcclient, to ensure
> that the client code still works, as the GSSAPI codepath here appears
> not to be automatically tested so far. 

This builds with autoconf, passes the new rpcclient tests I've added,
and is undergoing a full make test on sn-devel overnight.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list