HELP wanted: An async gensec

Andrew Bartlett abartlet at samba.org
Thu Jun 27 22:20:54 MDT 2013 

I know a large number of folks of the team have been long frustrated by
the lack of async in gensec.  

My issue isn't a lack of desire to do this, but that because of the
different work I've been doing in Samba, that I have real difficulty
getting my head around the tevent patterns, particularly in this complex
area.  I also wasn't sure how to do this without having an async gssapi
lib to build on. 

What I'm hoping for is someone to work closely with me as we implement
this.

What I plan is this much:

First, I want to make 'samba' (the binary) and anything else using the
machine account password use a common FILE based ccache, in the private
dir.  The idea here is that files can be safely shared between
processes, and this will avoid most calls to the KDC, as most of the
time there is already a ticket for the service we want to contact.

Then, I want, when a file based ccache is in use:

 - To fork (like source4/libcli/resolv/dns_ex.c does) and have the child
do the talking to the KDC, both for the initial ticket work, and for the
GSS calls.

 - When doing a fork() for the GSS calls, I would return the gss state
via gss_export_sec_context() to the calling process.  

If a MEMORY based ccache is in use, we would do blocking calls instead,
but NOT pass an event context in to the send_to_kdc routines - they
would create a new one and block.  This shouldn't impact on the 'samba'
binary single-process mode, as it uses the machine account password.
(This should therefore remove the most challenging nested event loop in
Samba). 

Finally, for the server-side NTLMSSP code, I would like the call to
winbind to be changed from using libwbclient to using IRPC, and to build
on top of that already tevent-enabled library, to allow async NTLM
logins in the SMB server.  

Does anybody have the time to be able to help me with this?  

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list