[PATCH 4/5] s3-rpc: add server support for mgmt_inq_princ_name
David Disseldorp
ddiss at suse.de
Wed Jan 15 12:54:10 MST 2014
On Thu, 16 Jan 2014 07:59:53 +1300
Andrew Bartlett <abartlet at samba.org> wrote:
> > > > + /* MS-RPCE 2.2.1.1.7 Security Providers */
> > > > + const uint32 MGMT_AUTHN_NONE = 0x00;
> > > > + const uint32 MGMT_AUTHN_GSS_NEG = 0x09;
> > > > + const uint32 MGMT_AUTHN_WINNT = 0x0A;
> > > > + const uint32 MGMT_AUTHN_GSS_SCHANNEL = 0x0E;
> > > > + const uint32 MGMT_AUTHN_GSS_KERBEROS = 0x10;
> > > > + const uint32 MGMT_AUTHN_NETLOGON = 0x44;
> > > > + const uint32 MGMT_AUTHN_DEFAULT = 0xFF;
> > >
> > > Can you reuse the DCERPC_AUTH_TYPE_* values from dcerpc.idl?
> >
> > There's some overlap with these values, but the mapping doesn't appear
> > to be consistent. I'd prefer to use the definitions above as they are
> > in MS-RPCE 2.2.1.1.7.
>
> What exactly are the differences? I'm very cautious about this kind of
> duplication, my experience in the auth area is that this stuff really is
> defined only once, and that what we have seen as differences turns out
> to be misunderstandings or an incomplete view.
DCERPC_AUTH_TYPE_NONE = 0,
Same.
DCERPC_AUTH_TYPE_KRB5_1 = 1,
Not defined in MS-RPCE 2.2.1.1.7.
DCERPC_AUTH_TYPE_SPNEGO = 9,
Referred to as AUTHN_GSS_NEG.
DCERPC_AUTH_TYPE_NTLMSSP = 10,
Referred to as AUTHN_WINNT.
MS-RPCE 2.2.1.1.7 defines an AUTHN_GSS_SCHANNEL type here (0x0E).
DCERPC_AUTH_TYPE_KRB5 = 16,
Same (AUTHN_GSS_KERBEROS).
DCERPC_AUTH_TYPE_DPA = 17,
DCERPC_AUTH_TYPE_MSN = 18,
DCERPC_AUTH_TYPE_DIGEST = 21,
Not defined.
DCERPC_AUTH_TYPE_SCHANNEL = 68,
Referred to as AUTHN_NETLOGON
DCERPC_AUTH_TYPE_MSMQ = 100,
Not defined.
DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM = 200
Not defined.
MS-RPCE 2.2.1.1.7 defines an AUTHN_DEFAULT type here (0xFF) which is
to be translated on the client side to AUTHN_WINNT.
0x09, 0x0A and 0x10 appear to be the only values handled by the mgmt RPC
server, which can be mapped to the DCERPC_AUTH_TYPE_* values. On the
client side AUTHN_DEFAULT (0xFF) would be needed.
Do you really feel strongly about this, or can I continue to use the
values from the spec?
Cheers, David
More information about the samba-technical
mailing list