s3:auth/auth_generic: make use of gensec_spnego in the server

Andrew Bartlett abartlet at samba.org
Tue Jan 31 17:21:34 MST 2012


On Tue, 2012-01-31 at 23:21 +0100, Michael Adam wrote:
> Hi Metze and Andrew,
> 
> Stefan Metzmacher wrote:
> > The branch, master has been updated
> >        via  507872f s3:smbd: inline code in reply_sesssetup_and_X_spnego()
> >        via  5f79ad5 s3:smbd: the spnego session setup don't need to copy the in blob
> >        via  ec0142d s3:smbd: rework reply_spnego_ntlmssp to reply_spnego_generic
> >        via  ee15790 s3:smbd: remove unused code from sesssetup.c
> >        via  63f6567 s3:smbd: remove pending_auth_data logic
> >        via  8327ee9 s3:smbd: always use the gensec code path in sesssetup.c
> >        via  3383ebb s3:smbd: rework smbd_smb2_*_ntlmssp_auth* to smbd_smb2_auth_generic*
> >        via  58e401f s3:smbd: always use the gensec code path in smb2_sesssetup.c
> >        via  5ad7665 libcli/smb: Convert struct smb_trans_enc_state to talloc
> >        via  fce53e0 s3-libsmb: Remove unused enum smb_trans_enc_type
> >        via  a1a667d s3-libsmb: Use gensec_spnego in smb seal client
> >        via  d6b0d52 s3-smbd: Use gensec_spnego in smb seal server
> >        via  204dfd2 s3:libsmb/auth_generic: make use of gensec_spnego in the client
> >        via  ab364e9 s3:auth/auth_generic: make use of gensec_spnego in the server
> >       from  2b1d7ac s3: Unify stream testing in open_directory
> > 
> > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> > 
> > [...] 
> > 
> > Summary of changes:
> >  libcli/smb/smbXcli_base.c     |    4 +-
> >  libcli/smb/smb_seal.c         |   19 -
> >  libcli/smb/smb_seal.h         |    8 -
> >  source3/auth/auth_generic.c   |   13 +-
> >  source3/libsmb/auth_generic.c |   13 +-
> >  source3/libsmb/clifsinfo.c    |   80 +---
> >  source3/param/loadparm_ctx.c  |    1 +
> >  source3/smbd/globals.h        |    2 -
> >  source3/smbd/proto.h          |    4 -
> >  source3/smbd/seal.c           |  370 ++-------------
> >  source3/smbd/sesssetup.c      | 1067 ++++-------------------------------------
> >  source3/smbd/smb2_sesssetup.c |  503 ++------------------
> >  12 files changed, 179 insertions(+), 1905 deletions(-)
> 
> Nice! :-)

Thanks!

I wish to particularly thank Metze for his tireless efforts finishing
and merging this patch series.  I started this work over Christmas, and
worked with metze to have this, and the work leading up to it reviewed
and tested.  

But it should be recognised that Metze did a lot of the heavy lifting,
particularly on the last set of patches, both with work to complete some
work-in-progress patches I had started on, but also careful testing and
painstaking analysis ensuring that we do not loose features or introduce
regressions between the two systems.

This is also an important day for the release of Samba 4.0, because we
now share a common layer for handling blob-based authentication.  While
the gensec backends are still separate at this point, they exhibit very
similar behaviour, and so we are much less likely to have bugs that only
show in when we are AD DC, or when we are a member server. 

Even within pure file server use cases, by bringing so much of this code
in common, we reduce the chance that we will get divergent behaviour
between the RPC, SMB and SMB2 login interfaces.  This is really
important - we previously manually parsed GSSAPI in the SMB server, but
used real GSSAPI libraries in the RPC server.  The chances that a login
would be accepted by one, but fail the other were quite real. 

We have also added a number of test cases to make test, providing test
coverage for kerberos encrypted RPC and SMB.

Finally, this should allow AES kerberos tickets to be accepted by all of
Samba, and make it much easier to consistently introduce new
authentication mechanisms, such as NegoEx and MSN authentication across
all of Samba.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list