[PATCH] Implement GSE as a gensec module for GSSAPI in s3
Stefan (metze) Metzmacher
metze at samba.org
Tue Jan 24 08:21:23 MST 2012
Hi Andrew,
just a quick update...
https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-abartlet
has some more updates, which I plan to push tomorrow, when I've tested them.
metze
Am 06.01.2012 23:06, schrieb Andrew Bartlett:
> On Fri, 2012-01-06 at 15:07 +0100, Stefan (metze) Metzmacher wrote:
>> Am 06.01.2012 14:51, schrieb simo:
>>> On Fri, 2012-01-06 at 15:58 +1100, Andrew Bartlett wrote:
>>>> On Thu, 2012-01-05 at 07:40 +1100, Andrew Bartlett wrote:
>>>>> On Wed, 2012-01-04 at 12:11 +0100, Stefan (metze) Metzmacher wrote:
>>>>>> Hi Andrew,
>>>>>>
>>>>>>> It now passes make test. I had to unify the principal selection logic
>>>>>>> between the gse code and the session setup code to avoid MIT-kerberos
>>>>>>> generated DNS lookups in make test:
>>>>>>>
>>>>>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=23ad69757911f2af86558c5752420e9e70228160
>>>>>>>
>>>>>>> A similar change needs to be made to the smb seal client, and a ktest
>>>>>>> similar to the rpcclient test needs to be added.
>>>>>>>
>>>>>>> So, after a long gestation, finally I think this is ready to be
>>>>>>> submitted to autobuild!
>>>>>>
>>>>>> I'll take a look at it and may push it, ok?
>>>>>
>>>>> Thanks metze!
>>>>
>>>> Thanks for pushing the parts you had, and for finding the MIT krb5
>>>> gss_wrap_iov bug!
>>>>
>>>> To try and help, I've updated my branch, dropping the untested patch for
>>>> the smb2 torture test and rebasing on top of your reindent work:
>>>>
>>>> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec
>>>>
>>>> I also put my full branch s3-rpc-gensec-wip past an autobuild, and it
>>>> passes:
>>>>
>>>> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-rpc-gensec-wip
>>>>
>>>> Let me know if there is anything more I can do to help,
>>>
>>> Does the autobuild test both with heimdal and MIT kerberos ?
>>
>> Yes, with heimdal in the top-level waf build and with MIT 1.8.1
>> in the source3 autoconf build.
>>
>> That way I found the bug in MIT 1.8.1, see
>> https://gitweb.samba.org/?p=samba.git;a=commitdiff;h=73ed88df350c0e307fcf7402be12170c22f2227e
>>
>> Just for the record I'll push Andrew's code step by step.
>> I maintain a branch with comments some comments in the commit messages here:
>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-abartlet
>
> Regarding:
> TODO Determine target service/ don't use server = NULL s3-librpc Supply
> target service and server to spnego_generic_init_client()
>
> http://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=a3b3776f9e4e2bdfb6764e040e0dc4649315b882
>
> The reason the target service is left as a TODO is to (again) avoid
> changing the behaviour. I agree that we cannot leave the target service
> as "cifs". The same is true for the the target server -
> gensec_get_target_service() returns NULL before this patch, and this
> keeps it that way, which is perfectly OK while NTLMSSP is forced.
>
> Regarding:
> TODO don't add missing ../auth/gensec/gensec_util.o here s3-build:
> Rework object lists to allow gse gensec module
>
> http://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=96cca7d5d1c95a7239770bffa979c3b1e46d3798
>
> gensec_util.o is present at this time. See
> http://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=b743fdb8d2eced3d24c59cf5f044326e6cc810e1
>
> Regarding:
> TODO: netsamlogon cache / all stuff, but NOT_IMPLEMENTED ? s3-auth Add
> auth hook for PAC parsing
> http://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=0affe6459072fd6946447eb6115538405c76d89e
>
> The pattern of providing NULL pointers for the other elements is already
> in use in bind9_dlz and the rpc.pac torture test.
>
> But I think we can certainly provide some of the elements - the loadparm
> context in particular, and I hope to provide the NTLM functions soon (to
> unify the NTLMSSP servers). We could provide a private pointer for the
> s3/s4 backend specific stuff if need be.
>
> Andrew Bartlett
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120124/11b3e46a/attachment.pgp>
More information about the samba-technical
mailing list