[PATCH] support for kerberos in plugin DC code
Andrew Bartlett
abartlet at samba.org
Fri Jul 29 16:30:40 MDT 2011
On Fri, 2011-07-29 at 17:09 +0200, Stefan (metze) Metzmacher wrote:
> >> I'd like you to give quite some time to review and decide if it is ok.
> >> I have been opposed on introducing gensec in s3 for a few reasons. One
> >> is dependencies, the other is that IIRC gensec does not create new event
> >> loops bu allows nesting of loops. That is something too dangerous for
> >> the file server imho.
> >
> > Yes, this needs a lot of review, I hope to get some time in the next days.
>
> Here're my first result, but I'll do more review on monday:
>
> - please keep the prototype of gensec_socket_init() and
> dcerpc_schannel_creds() under source4. Maybe others too.
OK. I'll see if I can find a more appropriate place for these
prototypes.
> - In s3-auth Use else if in do_map_to_guest_server_info use:
> return make_server_info_guest();
> instead of status = make_server_info_guest()
Sure, I can change that. It is amazing how much comment this poor
little function (copied unchanged from sesssetup.c) got :-)
(Tridge asked for the else if)
> - please change gensec_session_info() to take an explict memory context
> from the caller before using it in auth_ntlmssp_steal_session_info()
I'll check the reasoning for the original design pattern and see what I
can do.
> BTW: Why does auth_ntlmssp_steal_session_info have 'steal' in its name?
It has steal in it's name because I was specifically asked to put steal
in it's name in the review of an earlier patch series.
> - In s3-ntlmssp Remove rpccli_get_pwd_hash and auth_ntlmssp_get_nt_hash
> please remove the empty lines after calling cli_get_session_key().
>
> - In gensec: Don't keep a second copy of the auth4_context in
> gensec_ntlmssp_state
> wouldn't it be better to remove it from gensec_security?
> gensec_security should become a private structure in the end
> (hopefully renamed to gensec_session...)
GENSEC requires the auth4_context for the NTLMSSP backend in Samba4, and
it provides function pointers for generation of the session_info in all
Samba4 backends. Doing so via a context on gensec_security avoids a
number of dependency loops that would otherwise exist, and allows the
auth4_context to be specified before the specific mechanism is
chosen.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list