[PATCH] Implement GSE as a gensec module for GSSAPI in s3
Andrew Bartlett
abartlet at samba.org
Tue Jan 3 20:47:51 MST 2012
On Wed, 2012-01-04 at 00:46 +1100, Andrew Bartlett wrote:
> On Mon, 2012-01-02 at 22:56 +1100, Andrew Bartlett wrote:
> > On Tue, 2011-12-27 at 12:07 +1100, Andrew Bartlett wrote:
> > > On Thu, 2011-12-22 at 13:44 +0100, Stefan (metze) Metzmacher wrote:
> > > > Hi Andrew,
> > > >
> > > > > This patch series generalises the auth_ntlmssp code into a more generic
> > > > > infrastructure, with the aim to have GSSAPI handled via GENSEC in the
> > > > > smb sealing, rpc server and eventually session setup code.
> > > > >
> > > > > The patches so far are just the start, but take a very measured, one
> > > > > small change at a time approach without intentional behaviour change,
> > > > > and are at:
> > > > > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
> > > >
> > > > Thanks! I plan to sign-off and push this too.
> > >
> > > Thanks for pushing that. I've updated the branch with a new set of
> > > changes. These follow in the same pattern, making the code more
> > > generic, but not intentionally changing behaviour. This set of changes
> > > introduces a new way to specify the gensec modules list.
> > >
> > > My hope is that once we make the use of NTLMSSP totally generic (ie,
> > > just specified with a parameter rather than via dedicated functions), it
> > > will be much easier to call other modules and even the SPNEGO we
> > > discussed via the same, tested call stack.
> >
> > I've been busy over the break, and again updated the branch.
> > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
> >
> > The big thing I've been working towards is that with these patches, we
> > now call into the GSE GSSAPI abstraction layer via GENSEC, rather than
> > via switch statements in the librpc code.
> >
> > Now that librpc handles GSSAPI this way, we should be able to do the
> > same with the SMB sealing code (with the same 'make NTLMSSP case
> > generic' pattern) and eventually even handle the session setup code.
> >
> > This passes the important 'ktest' tests, and is undergoing a full make
> > test on sn-devel overnight.
> >
> > The remaining task is to write a blackbox test for rpcclient, to ensure
> > that the client code still works, as the GSSAPI codepath here appears
> > not to be automatically tested so far.
>
> This builds with autoconf, passes the new rpcclient tests I've added,
> and is undergoing a full make test on sn-devel overnight.
It now passes make test. I had to unify the principal selection logic
between the gse code and the session setup code to avoid MIT-kerberos
generated DNS lookups in make test:
http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=23ad69757911f2af86558c5752420e9e70228160
A similar change needs to be made to the smb seal client, and a ktest
similar to the rpcclient test needs to be added.
So, after a long gestation, finally I think this is ready to be
submitted to autobuild!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list