[PATCH] fix Samba3 LSA CreateTrustedDomainsEx2

Alexander Bokovoy ab at samba.org
Fri Mar 9 04:16:28 MST 2012


On Fri, Mar 9, 2012 at 12:29, Stefan (metze) Metzmacher <metze at samba.org> wrote:
>> I don't quite get why auth_session_info needs to be opaque, but I agree
>> about dealing with the session key separately.  (There may be additional
>> reasons in SMB2 re-authentication as hinted at in the paragraph above.
>> That is, perhaps the session key could change!)
>
> I don't think reauth changes the session key.
>
> But what we need here is the transport layer session key and not the one
> from the session info.
> (We need a better separation of all the keys,
> not that with smb 2.2 there's an "Application Key", which is supposed to be
> used by the rpc layer).
LSA and SAMR over SMB use pipes_struct.session_info.session_key. This
one gets initialized with transport layer session key when
pipes_struct is created and initialized. So here we are fine. I agree
that we need to properly name the keys and maintain access to them
using clear intents.

Maybe something like
  NTSTATUS pipe_extract_session_key(pipe, &session_key,
KEY_USE_{TRANSPORT,APPLICATION,SESSION}[_16BYTES])
to allow clearly pointing to what is needed in a specific layer?

Then at pipe_struct  there could be a function pointer to handle
internal details of SystemLibraryDTC/NULL/authenticated key, though
over TCPIP transport session key is always eitehr SystemLibraryDTC or
NULL as we don't have DRSUAPI in Samba3.
-- 
/ Alexander Bokovoy


More information about the samba-technical mailing list