[PATCH] Allow Huawei Unified Storage System S5500 V3 to join the AD DC
Andrew Bartlett
abartlet at samba.org
Tue Aug 4 01:41:01 UTC 2015
On Mon, 2015-08-03 at 21:31 -0400, Simo wrote:
> On Tue, 2015-08-04 at 10:59 +1200, Andrew Bartlett wrote:
> > This patch allows the Huawei Unified Storage System S5500 V3 to
> > join
> > a
> > Samba AD DC. It appears to have a hand-rolled GSSAPI
> > implementation
> > that is compatible with Windows, but not the spec.
> >
> > Upstream Heimdal has chosen to be compatible with Windows in this
> > case,
> > see: https://github.com/heimdal/heimdal/pull/134
> >
> > I acknowledge that concerns were raised in a private forum
> > regarding
> > this being unconditional, however as the patch has been accepted as
> > presented here into upstream Heimdal, it is best that we import it
> > directly.
> >
> > Note: For the MIT Kerberos port, this sadly does mean we will need
> > to
> > implement the gssapi_krb5 GENSEC mech, as the fake_gssapi method
> > there
> > is currently the only test for this codepath.
>
> In the second patch you seem to set REAPLY and SEQUENCE flags when
> the
> checksum is NULL, but dochelp reported that you should consider as no
> flag is set at all.
>
> Why this difference ?
You are correct, to fully match what dochelp said we shouldn't set
those. I did it this way so as not to change the existing behaviour
that has worked well for a number of years now, and what was already in
the patch I had validated against the NAS (which I don't have direct
access to).
Anybody who proceeds with hand-built GSSAPI after this setup stage
really needs to re-think their choices, so it is my hope that this
never matters.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list