[PATCH] Implement GSE as a gensec module for GSSAPI in s3
Andrew Bartlett
abartlet at samba.org
Fri Jan 6 07:33:45 MST 2012
On Fri, 2012-01-06 at 15:07 +0100, Stefan (metze) Metzmacher wrote:
> Am 06.01.2012 14:51, schrieb simo:
> > On Fri, 2012-01-06 at 15:58 +1100, Andrew Bartlett wrote:
> >> On Thu, 2012-01-05 at 07:40 +1100, Andrew Bartlett wrote:
> >>> On Wed, 2012-01-04 at 12:11 +0100, Stefan (metze) Metzmacher wrote:
> >>>> Hi Andrew,
> >>>>
> >>>>> It now passes make test. I had to unify the principal selection logic
> >>>>> between the gse code and the session setup code to avoid MIT-kerberos
> >>>>> generated DNS lookups in make test:
> >>>>>
> >>>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=23ad69757911f2af86558c5752420e9e70228160
> >>>>>
> >>>>> A similar change needs to be made to the smb seal client, and a ktest
> >>>>> similar to the rpcclient test needs to be added.
> >>>>>
> >>>>> So, after a long gestation, finally I think this is ready to be
> >>>>> submitted to autobuild!
> >>>>
> >>>> I'll take a look at it and may push it, ok?
> >>>
> >>> Thanks metze!
> >>
> >> Thanks for pushing the parts you had, and for finding the MIT krb5
> >> gss_wrap_iov bug!
> >>
> >> To try and help, I've updated my branch, dropping the untested patch for
> >> the smb2 torture test and rebasing on top of your reindent work:
> >>
> >> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
> >>
> >> I also put my full branch s3-rpc-gensec-wip past an autobuild, and it
> >> passes:
> >>
> >> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec-wip
> >>
> >> Let me know if there is anything more I can do to help,
> >
> > Does the autobuild test both with heimdal and MIT kerberos ?
>
> Yes, with heimdal in the top-level waf build and with MIT 1.8.1
> in the source3 autoconf build.
>
> That way I found the bug in MIT 1.8.1, see
> https://gitweb.samba.org/?p=samba.git;a=commitdiff;h=73ed88df350c0e307fcf7402be12170c22f2227e
>
> Just for the record I'll push Andrew's code step by step.
> I maintain a branch with comments some comments in the commit messages here:
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-abartlet
Regarding
https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=cad28683e2a119037546a1198af582664b02f6f8
The reason for the odd 'TODO: save PAC data in netsamlogon cache ?' is
that (I should have been clearer in the commit message) this code is
copied directly from source3/rpc_server/dcesrv_gssapi.c and I've tried
very hard to avoid changing any behaviours in this process.
We should indeed save the PAC data, and we should also carefully review
the other behaviours of the session setup kerberos handling (smb.conf
reloads etc) to determine if they are required, and then make this code
match exactly. This will give us confidence to eventually us the
gensec_gse module in all parts of Samba3.
I'm happy for that to be done after these changes (I as intended), or
before (in dcesrv_gssapi.c), but to keep to 'no intentional behaviour
change', it should not be silently squashed into this commit.
Well spotted and Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list