[PATCH] Allow Huawei Unified Storage System S5500 V3 to join the AD DC

Andrew Bartlett abartlet at samba.org
Tue Aug 4 01:41:01 UTC 2015

On Mon, 2015-08-03 at 21:31 -0400, Simo wrote:
> On Tue, 2015-08-04 at 10:59 +1200, Andrew Bartlett wrote:
> > This patch allows the Huawei Unified Storage System S5500 V3 to 
> > join 
> > a
> > Samba AD DC.  It appears to have a hand-rolled GSSAPI 
> > implementation
> > that is compatible with Windows, but not the spec.
> > 
> > Upstream Heimdal has chosen to be compatible with Windows in this 
> > case,
> > see: https://github.com/heimdal/heimdal/pull/134
> > 
> > I acknowledge that concerns were raised in a private forum 
> > regarding
> > this being unconditional, however as the patch has been accepted as
> > presented here into upstream Heimdal, it is best that we import it
> > directly. 
> > 
> > Note: For the MIT Kerberos port, this sadly does mean we will need 
> > to
> > implement the gssapi_krb5 GENSEC mech, as the fake_gssapi method 
> > there
> > is currently the only test for this codepath. 
> In the second patch you seem to set REAPLY and SEQUENCE flags when 
> the
> checksum is NULL, but dochelp reported that you should consider as no
> flag is set at all.
> Why this difference ?

You are correct, to fully match what dochelp said we shouldn't set
those.  I did it this way so as not to change the existing behaviour
that has worked well for a number of years now, and what was already in
the patch I had validated against the NAS (which I don't have direct
access to).  

Anybody who proceeds with hand-built GSSAPI after this setup stage
really needs to re-think their choices, so it is my hope that this
never matters.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba-technical mailing list