[PATCH 4/5] s3-rpc: add server support for mgmt_inq_princ_name
Andrew Bartlett
abartlet at samba.org
Wed Jan 15 13:03:34 MST 2014
On Wed, 2014-01-15 at 20:54 +0100, David Disseldorp wrote:
> On Thu, 16 Jan 2014 07:59:53 +1300
> Andrew Bartlett <abartlet at samba.org> wrote:
>
> > > > > + /* MS-RPCE 2.2.1.1.7 Security Providers */
> > > > > + const uint32 MGMT_AUTHN_NONE = 0x00;
> > > > > + const uint32 MGMT_AUTHN_GSS_NEG = 0x09;
> > > > > + const uint32 MGMT_AUTHN_WINNT = 0x0A;
> > > > > + const uint32 MGMT_AUTHN_GSS_SCHANNEL = 0x0E;
> > > > > + const uint32 MGMT_AUTHN_GSS_KERBEROS = 0x10;
> > > > > + const uint32 MGMT_AUTHN_NETLOGON = 0x44;
> > > > > + const uint32 MGMT_AUTHN_DEFAULT = 0xFF;
> > > >
> > > > Can you reuse the DCERPC_AUTH_TYPE_* values from dcerpc.idl?
> > >
> > > There's some overlap with these values, but the mapping doesn't appear
> > > to be consistent. I'd prefer to use the definitions above as they are
> > > in MS-RPCE 2.2.1.1.7.
> >
> > What exactly are the differences? I'm very cautious about this kind of
> > duplication, my experience in the auth area is that this stuff really is
> > defined only once, and that what we have seen as differences turns out
> > to be misunderstandings or an incomplete view.
>
> DCERPC_AUTH_TYPE_NONE = 0,
> Same.
>
> DCERPC_AUTH_TYPE_KRB5_1 = 1,
> Not defined in MS-RPCE 2.2.1.1.7.
>
> DCERPC_AUTH_TYPE_SPNEGO = 9,
> Referred to as AUTHN_GSS_NEG.
>
> DCERPC_AUTH_TYPE_NTLMSSP = 10,
> Referred to as AUTHN_WINNT.
>
> MS-RPCE 2.2.1.1.7 defines an AUTHN_GSS_SCHANNEL type here (0x0E).
>
> DCERPC_AUTH_TYPE_KRB5 = 16,
> Same (AUTHN_GSS_KERBEROS).
>
> DCERPC_AUTH_TYPE_DPA = 17,
> DCERPC_AUTH_TYPE_MSN = 18,
> DCERPC_AUTH_TYPE_DIGEST = 21,
> Not defined.
>
> DCERPC_AUTH_TYPE_SCHANNEL = 68,
> Referred to as AUTHN_NETLOGON
>
> DCERPC_AUTH_TYPE_MSMQ = 100,
> Not defined.
>
> DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM = 200
> Not defined.
>
> MS-RPCE 2.2.1.1.7 defines an AUTHN_DEFAULT type here (0xFF) which is
> to be translated on the client side to AUTHN_WINNT.
>
> 0x09, 0x0A and 0x10 appear to be the only values handled by the mgmt RPC
> server, which can be mapped to the DCERPC_AUTH_TYPE_* values. On the
> client side AUTHN_DEFAULT (0xFF) would be needed.
>
> Do you really feel strongly about this, or can I continue to use the
> values from the spec?
All I see are values missing from the DCERPC_AUTH_TYPE table, and
variations in name due to the history of our code. Please use/fix the
DCERPC_AUTH_TYPE table.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list