Local KDC and Samba
Steve French
smfrench at gmail.com
Tue Jan 21 22:56:31 UTC 2025
Looks like the first thing the client has to do, is check if IAKERB is
supported and upcall for that case (not just
Currently no code in Linux (kernel) checks for this OID yet - but that
should be a simple change to upcall to your code for cases like IAKerb
../../../include/linux/oid_registry.h: OID_IAKerb,
/* 1.3.6.1.5.2.5 */
We will upcall if server reports the OID for kerberos or mskerberos:
int cifs_neg_token_init_mech_type(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
struct TCP_Server_Info *server = context;
enum OID oid;
oid = look_up_OID(value, vlen);
if (oid == OID_mskrb5)
server->sec_mskerberos = true;
else if (oid == OID_krb5u2u)
server->sec_kerberosu2u = true;
else if (oid == OID_krb5)
server->sec_kerberos = true;
else if (oid == OID_ntlmssp)
server->sec_ntlmssp = true;
else {
char buf[50];
sprint_oid(value, vlen, buf, sizeof(buf));
cifs_dbg(FYI, "Decoding negTokenInit: unsupported OID %s\n",
buf);
}
return 0;
enum securityEnum
cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
{
switch (server->negflavor) {
case CIFS_NEGFLAVOR_EXTENDED:
switch (requested) {
case Kerberos:
case RawNTLMSSP:
return requested;
case Unspecified:
if (server->sec_ntlmssp &&
(global_secflags & CIFSSEC_MAY_NTLMSSP))
return RawNTLMSSP;
if ((server->sec_kerberos || server->sec_mskerberos) &&
(global_secflags & CIFSSEC_MAY_KRB5))
return Kerberos;
fallthrough;
default:
return Unspecified;
}
On Tue, Jan 21, 2025 at 2:30 AM Andreas Schneider <asn at samba.org> wrote:
>
> On Tuesday, 21 January 2025 06:59:25 CET Steve French wrote:
> > Do you have a sample wireshark trace of SMB3.1.1 connection to Samba
> > with the new peer-to-peer Kerbeors and/or IAKERB?
>
> Yes, I do. You can find it here:
>
> https://xor.cryptomilk.org/samba/iakerb/
>
> However that wont help you. See Alexander his reply. You need to use GSSAPI
> instead of raw Kerberos in cifs utils. You should try to do IAKerb first and
> fall back to KRB5 mech otherwise.
>
> What I haven't implemented yet. If we get a krbtgt via IAKerb we should allow
> to store that in a user specified ccache or the default one.
>
>
> --
> Andreas Schneider asn at samba.org
> Samba Team www.samba.org
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>
>
--
Thanks,
Steve
More information about the samba-technical
mailing list