[PACTHSET] Some patches from the MIT KDC branch

Andrew Bartlett abartlet at samba.org
Thu Jul 9 07:38:24 UTC 2015 

On Thu, 2015-07-09 at 08:57 +0200, Andreas Schneider wrote:
> On Thursday 09 July 2015 09:32:06 Andrew Bartlett wrote:
> > On Wed, 2015-07-08 at 18:12 +0200, Andreas Schneider wrote:
> > > Hi,
> > > 
> > > I'm currently working on the MIT KDC branch to clean it up so we can get
> > > more patches upstream. Here are a few patches which are ready for master.
> > > More to come in the next days and weeks.
> > > 
> > > They are also available here:
> > > 
> > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-mit-> > kdc-ok
> > The main patch I have thoughts on is the salt handling one.  I remember
> > we had some discussion on that, and a solution was merged into master.
> > Can you remind me where we got to there?
> 
> We fixed it by adding the correct saltPrincipal to the ldif. So we have the 
> correct salt already in ldap!
> What this code does it to clean up the code and always pass down the 
> saltPrincipal to the update keytab function. So the caller needs to make sure 
> it passes down the saltPrincipal it has or create the correct one needed for 
> the operation. We should not create it in the update keytab function ...
> 
> > One note I've been meaning to say for the past little while is that I
> > think you will have to, contrary to my previous advice, implement the
> > required things for gssapi_krb5.  While the only non-torture use of it
> > is kpasswd, the contribution it makes to testing is non-trivial, like
> > the fun and games we just found with the NULL checksums from the "Huawei
> > Unified Storage System S5500 V3".
> 
> Can you tell me which test it needs? You need to be a bit more specific here 
> :)
https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=commitdiff;h=f3762dbb68a85abb26e81973bdec835bca9bee1b
https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=commitdiff;h=7c6837a02af592b1c29b5695b014763d52925543

> If you're talking about gensec_fake_gssapi_krb5_security_ops() it works fine 
> with gssapi ...
> 
> https://git.samba.org/?p=asn/samba.git;a=commit;h=1dc1c69d5990cb67b77549309e25be372023c33b

The point of the fake_gssapi is to exercise the code paths used by
things like the NAS mentioned above, not to implement it using real
GSSAPI.  Of course you can use real GSSAPI and call it fake, and of
course everything still works, but that's really not the point :-)

The fake_gssapi is WRONG per the spec, but so was Samba for most of a
decade, and we need tests to confirm we still work with such broken
clients. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list