Getting rid of smb_krb5_send_and_recv_func()
Niklas Andersson
niklas.andersson at openforce.se
Tue May 6 01:21:09 MDT 2014
Hi Andreas,
Interesting to read about your cwrap effort. Very interesting. I am
working on some automated setups of Samba4 as an AD DC, and realmd as
client for testing purposes I am using Vagrant.
You can have a look at this repo if you are interested [1].
Basically you do a "vagrant up dc" and "vagrant up realmd" and you're set.
I have added some nice hooks to Wireshark into these machines and get the
packages out. That is what the script vshark is for.
You do "vshark dc" to start getting the packets from the domain
controller, "vshark realmd" to get the packets from the client.
Pretty much work-in-progress here but you might get some ideas.
[1] https://github.com/xnandersson/dcpromo-vagrant-ocn
Regards,
Niklas
2014-05-06 8:25 GMT+02:00 Andreas Schneider <asn at samba.org>:
> On Tuesday 06 May 2014 10:52:00 you wrote:
> > On Mon, 2014-05-05 at 09:32 +0200, Andreas Schneider wrote:
> > > On Thursday 01 May 2014 09:31:50 Andrew Bartlett wrote:
> > > > On Wed, 2014-04-30 at 11:54 +0200, Andreas Schneider wrote:
> > > > > Hi,
> > > > >
> > > > > with Andrew his patches and the preloadable socket_wrapper we're
> now
> > > > > able
> > > > > to get rid of smb_krb5_send_and_recv_func().
> > > > >
> > > > > I've prepared a patchset here:
> > > > >
> > > > >
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/smb_krb
> > > > > 5_se
> > > > > nd_and_recv_func
> > > > >
> > > > >
> > > > > A local 'make test' completed successfully.
> > > >
> > > > My main concern is that this implies that we are backing down from
> > > > Kerberos due to it failing, rather than actually handling this
> properly.
> > >
> > > I don't really get what you want to explain to me. For me this code
> looks
> > > like it has been created so that heimdal works with socket_wrapper.
> > >
> > > > That is, I think we fall into the KDC not found case, and fall back
> to
> > > > NTLM, when Samba is operating in single process mode.
> > >
> > > If we remove this function then heimdal will take care of sending the
> > > packet. doesn't it?
> > >
> > > Can you please explain this in more details so that Günther and I
> > > understand the purpose of these functions.
> >
> > It has three purposes:
> >
> > To use socket_wrapper, and to use our name resolution, and to use our
> > event loop, so a single-process mode server can talk to itself. You
> > handled the first, perhaps the second and not the third.
>
> nss_wrapper does name resolution and this works even with system libraries!
> For more details read: https://lwn.net/Articles/594863/
>
> So this leaves the event loop. Why does it need to use the Samba event
> loop?
>
>
> > Please do not remove this without my explicit ACK.
>
> We're trying to port Samba 4 to MIT Kerberos and are trying to understand
> why
> we do certain things. Please go into more details so we can understand why
> it
> was done this way.
>
>
> Cheers,
>
>
> -- andreas
>
> --
> Andreas Schneider GPG-ID: CC014E3D
> Samba Team asn at samba.org
> www.samba.org
>
>
More information about the samba-technical
mailing list