[Patches] The way to remove gensec_update_ev()
Andrew Bartlett
abartlet at samba.org
Wed May 17 17:56:16 UTC 2017
On Wed, 2017-05-17 at 14:12 +0200, Stefan Metzmacher via samba-
technical wrote:
> Hi,
>
> I'm currently working on the removal of gensec_update_ev(),
> which relies on nested event loops to be activated.
>
> If we want to have proper support for trusted domains in the
> as AD DC, we need to use real async authentication because
> we still use a single process model for the rpc server.
>
> So the first step is to make all users of gensec_update_ev()
> use gensec_update_send/recv instead.
>
> Once we have that we need to make the low level auth stack async
> for NTLMSSP (as a server) and Kerberos (as a client).
>
> Here's the first chunk of patches, they passed a private autobuild.
>
> Please review and push:-)
I'm looking at these now. I'm correcting a couple of minor issues in
commit messages (patch of patches attached), but I also noticed:
Subject: [PATCH 25/35] auth/ntlmssp: add implement
gensec_ntlmssp_update_send/recv()
- if (!out_mem_ctx) {
- /* if the caller doesn't want to manage/own the
memory,
- we can put it on our context */
- out_mem_ctx = ntlmssp_state;
I don't think it is used, but can we have this as a distinct commit?
I'm sorry to be petty, but it is hard enough reading the change to
async without also removing this at the same time.
The other wrapper changes are much easier to follow, they just rename a
function and call it, but this one also removes hidden return macros
and changes input to in. They are all great things, but just need to
be a prep patch so I know I'm not missing something.
Thank you so much for the hard work here. I'll review the next set
shortly.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-------------- next part --------------
--- /home/abartlet/.cache/evolution/tmp/evolution-abartlet-ttSYuQ/gensec-async-part1-01.patches.txt 2017-05-18 05:13:52.798845812 +1200
+++ /tmp/gensec-async-part1-01.patches.txt 2017-05-18 05:21:08.349174139 +1200
@@ -96,7 +96,7 @@
If smbXcli_session_is_guest() returns true, we should handle the authentication
as anonymous and don't touch the gensec context anymore.
-Note that smbXcli_session_is_guest() always returns false, it signing is
+Note that smbXcli_session_is_guest() always returns false, if signing is
required!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
@@ -671,7 +671,8 @@
GENSEC_FEATURE_SIGN_PKT_HEADER logic
We can directly check this after gensec_start_mech_by_authtype(),
-the backend either supports it or not. There's nothing.
+the backend either supports it or not. There's nothing that can
+change if this is supported during the negotiation.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
More information about the samba-technical
mailing list