[PATCH] Implement GSE as a gensec module for GSSAPI in s3

Andrew Bartlett abartlet at samba.org
Fri Jan 6 15:06:39 MST 2012

On Fri, 2012-01-06 at 15:07 +0100, Stefan (metze) Metzmacher wrote:
> Am 06.01.2012 14:51, schrieb simo:
> > On Fri, 2012-01-06 at 15:58 +1100, Andrew Bartlett wrote: 
> >> On Thu, 2012-01-05 at 07:40 +1100, Andrew Bartlett wrote:
> >>> On Wed, 2012-01-04 at 12:11 +0100, Stefan (metze) Metzmacher wrote:
> >>>> Hi Andrew,
> >>>>
> >>>>> It now passes make test.  I had to unify the principal selection logic
> >>>>> between the gse code and the session setup code to avoid MIT-kerberos
> >>>>> generated DNS lookups in make test:
> >>>>>
> >>>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=23ad69757911f2af86558c5752420e9e70228160
> >>>>>
> >>>>> A similar change needs to be made to the smb seal client, and a ktest
> >>>>> similar to the rpcclient test needs to be added. 
> >>>>>
> >>>>> So, after a long gestation, finally I think this is ready to be
> >>>>> submitted to autobuild!
> >>>>
> >>>> I'll take a look at it and may push it, ok?
> >>>
> >>> Thanks metze!
> >>
> >> Thanks for pushing the parts you had, and for finding the MIT krb5
> >> gss_wrap_iov bug!
> >>
> >> To try and help, I've updated my branch, dropping the untested patch for
> >> the smb2 torture test and rebasing on top of your reindent work:
> >>
> >> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
> >>  
> >> I also put my full branch s3-rpc-gensec-wip past an autobuild, and it
> >> passes:
> >>
> >> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec-wip 
> >>
> >> Let me know if there is anything more I can do to help,
> > 
> > Does the autobuild test both with heimdal and MIT kerberos ?
> Yes, with heimdal in the top-level waf build and with MIT 1.8.1
> in the source3 autoconf build.
> That way I found the bug in MIT 1.8.1, see
> https://gitweb.samba.org/?p=samba.git;a=commitdiff;h=73ed88df350c0e307fcf7402be12170c22f2227e
> Just for the record I'll push Andrew's code step by step.
> I maintain a branch with comments some comments in the commit messages here:
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-abartlet

TODO Determine target service/ don't use server = NULL s3-librpc Supply
target service and server to spnego_generic_init_client()


The reason the target service is left as a TODO is to (again) avoid
changing the behaviour.  I agree that we cannot leave the target service
as "cifs".  The same is true for the the target server -
gensec_get_target_service() returns NULL before this patch, and this
keeps it that way, which is perfectly OK while NTLMSSP is forced.

TODO don't add missing ../auth/gensec/gensec_util.o here s3-build:
Rework object lists to allow gse gensec module


gensec_util.o is present at this time.  See

TODO: netsamlogon cache / all stuff, but NOT_IMPLEMENTED ? s3-auth Add
auth hook for PAC parsing

The pattern of providing NULL pointers for the other elements is already
in use in bind9_dlz and the rpc.pac torture test. 

But I think we can certainly provide some of the elements - the loadparm
context in particular, and I hope to provide the NTLM functions soon (to
unify the NTLMSSP servers).  We could provide a private pointer for the
s3/s4 backend specific stuff if need be.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list