[PATCH] using gensec_gse and gensec_spnego in s3 sesssion setup

Stefan (metze) Metzmacher metze at samba.org
Tue Jan 24 22:02:05 MST 2012

Hi Andrew,

> In looking over your changes, I note that in:
> s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in
> gensec_gse_have_feature()
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=986b8487d69c85e2118d58b23642aacf4964d02e
> I can't see where the lucid context is free'ed in the success case.  In
> gensec_gssapi this is done in the talloc destructor. 

Thanks for finding this, I've added it to the destructor.

> Finally, I should point out a remaining difference between the PAC
> handling code in auth_generic and the current code inline in
> sesssetup.c.
> The sesssetup.c:reply_spnego_kerberos() code has:
> 	/* setup the string used by %U */
> 	sub_set_smb_name(real_username);
> 	/* reload services so that the new %U is taken into account */
> 	reload_services(sconn, conn_snum_used, true);

This has only impact on the make_session_info_krb5()
and register_initial_vuid() code, so I guess there's no impact at all.
Do you see any impact?

> This matches (roughly) the code in
> auth_ntlmssp.c:auth_ntlmssp_check_password():
> 	/* setup the string used by %U */
> 	/* sub_set_smb_name checks for weird internally */
> 	sub_set_smb_name(gensec_ntlmssp->ntlmssp_state->user);
> 	lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
> This block isn't in auth_generic.c:auth3_generate_session_info_pac() as
> the gse RPC server code on which it was based.  The previous behaviour
> was inconsistent - the NTLMSSP code always did this, as it has been
> common for longer. 

register_existing_vuid() calls set_current_user_info(), which calls
sub_set_smb_name(), so I think the smb1 session setup is consistent now.

For the kerberos case (above) we call register_existing_vuid() and
reload_services(sconn, conn_snum_used, true); again.

I'm about to also add this to the smb2_sesssetup.c code...
(The patch is in autobuild)

> I don't like the idea of reloading the smb.conf and changing %U in
> general, but our users have come to expect it.  The challenge is doing
> this right in generic gensec code (rather than only on session setups).
> If we make it conditional we may wish to inherit in a GENSEC_FEATURE_
> for this. 

Maybe, but could we copy the auth_ntlmssp.c chunk to auth_generic
as a first step?

> Please let me know if there is anything more I can do to help.

Currently review and testing:-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120125/0b56619a/attachment.pgp>

More information about the samba-technical mailing list