[PATCH] using gensec_gse and gensec_spnego in s3 sesssion setup

Andrew Bartlett abartlet at samba.org
Tue Jan 24 14:04:57 MST 2012 

On Tue, 2012-01-24 at 16:21 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> just a quick update...
> 
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-abartlet
> has some more updates, which I plan to push tomorrow, when I've tested them.

Thanks.  I've been following your git branch with interest while at
linux.conf.au, and it has been incredibly encouraging to see this work
progress.  You seem to have worked past a number of issues that I wasn't
able to resolve in my 'wip' branch, and I thank you in particular for
that.

In looking over your changes, I note that in:
s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in
gensec_gse_have_feature()
https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=986b8487d69c85e2118d58b23642aacf4964d02e

I can't see where the lucid context is free'ed in the success case.  In
gensec_gssapi this is done in the talloc destructor. 

Finally, I should point out a remaining difference between the PAC
handling code in auth_generic and the current code inline in
sesssetup.c.

The sesssetup.c:reply_spnego_kerberos() code has:
	/* setup the string used by %U */
	sub_set_smb_name(real_username);

	/* reload services so that the new %U is taken into account */
	reload_services(sconn, conn_snum_used, true);

This matches (roughly) the code in
auth_ntlmssp.c:auth_ntlmssp_check_password():
	/* setup the string used by %U */
	/* sub_set_smb_name checks for weird internally */
	sub_set_smb_name(gensec_ntlmssp->ntlmssp_state->user);

	lp_load(get_dyn_CONFIGFILE(), false, false, true, true);

This block isn't in auth_generic.c:auth3_generate_session_info_pac() as
the gse RPC server code on which it was based.  The previous behaviour
was inconsistent - the NTLMSSP code always did this, as it has been
common for longer. 

I don't like the idea of reloading the smb.conf and changing %U in
general, but our users have come to expect it.  The challenge is doing
this right in generic gensec code (rather than only on session setups).
If we make it conditional we may wish to inherit in a GENSEC_FEATURE_
for this. 

Please let me know if there is anything more I can do to help.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list