[PATCH] Implement GSE as a gensec module for GSSAPI in s3
Andrew Bartlett
abartlet at samba.org
Tue Jan 3 06:46:51 MST 2012
On Mon, 2012-01-02 at 22:56 +1100, Andrew Bartlett wrote:
> On Tue, 2011-12-27 at 12:07 +1100, Andrew Bartlett wrote:
> > On Thu, 2011-12-22 at 13:44 +0100, Stefan (metze) Metzmacher wrote:
> > > Hi Andrew,
> > >
> > > > This patch series generalises the auth_ntlmssp code into a more generic
> > > > infrastructure, with the aim to have GSSAPI handled via GENSEC in the
> > > > smb sealing, rpc server and eventually session setup code.
> > > >
> > > > The patches so far are just the start, but take a very measured, one
> > > > small change at a time approach without intentional behaviour change,
> > > > and are at:
> > > > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
> > >
> > > Thanks! I plan to sign-off and push this too.
> >
> > Thanks for pushing that. I've updated the branch with a new set of
> > changes. These follow in the same pattern, making the code more
> > generic, but not intentionally changing behaviour. This set of changes
> > introduces a new way to specify the gensec modules list.
> >
> > My hope is that once we make the use of NTLMSSP totally generic (ie,
> > just specified with a parameter rather than via dedicated functions), it
> > will be much easier to call other modules and even the SPNEGO we
> > discussed via the same, tested call stack.
>
> I've been busy over the break, and again updated the branch.
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
>
> The big thing I've been working towards is that with these patches, we
> now call into the GSE GSSAPI abstraction layer via GENSEC, rather than
> via switch statements in the librpc code.
>
> Now that librpc handles GSSAPI this way, we should be able to do the
> same with the SMB sealing code (with the same 'make NTLMSSP case
> generic' pattern) and eventually even handle the session setup code.
>
> This passes the important 'ktest' tests, and is undergoing a full make
> test on sn-devel overnight.
>
> The remaining task is to write a blackbox test for rpcclient, to ensure
> that the client code still works, as the GSSAPI codepath here appears
> not to be automatically tested so far.
This builds with autoconf, passes the new rpcclient tests I've added,
and is undergoing a full make test on sn-devel overnight.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list