[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Kevin Coffman] Proposal to export gssapi context

To: Sam Hartman <hartmans@mit.edu>
Subject: Re: [Kevin Coffman] Proposal to export gssapi context
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 10 Mar 2004 16:20:08 +1100
Cc: heimdal-discuss@sics.se, krbdev@mit.edu, Multiple recipients of list SAMBA-TECHNICAL <samba-technical@samba.org>
In-Reply-To: <tsloer51rji.fsf@konishi-polis.mit.edu>
References: <tsloer51rji.fsf@konishi-polis.mit.edu>
Sender: owner-heimdal-discuss@sics.se

On Wed, 2004-03-10 at 11:20, Sam Hartman wrote:
> Umich has approached MIT asking  for a private API for their in-kernel GSSAPI implementation to use.

If Samba is to ever use 'real' GSSAPI (not our own private, ugly, mostly
works hack) then we will also need this.  We currently call 

	if (remote)
		err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
	else
		err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);

To get them.  This key is directly used for encrypting certain CIFS
traffic (password sets particularly) and to establish 'SMB signing'.

By my reading, that should be the keys we are seeing in that structure. 
Is that correct?

> Ideally we'd like to get to a point where Heimdal could implement the
> same API.
> 
> As such we're seeking comments from the Heimdal community.
> 
> 
> 
> ______________________________________________________________________
> From: Kevin Coffman <kwc@citi.umich.edu>
> To: krbdev@mit.edu
> Cc: nfsv4-wg@citi.umich.edu
> Subject: Proposal to export gssapi context
> Date: Tue, 09 Mar 2004 18:00:42 -0500
> 
> Brought to krbdev...
> 
> The kernel implementation of rpcsec_gss used for NFSv4 requires context
> information be negotiated in user-land and then passed down for use in the
> kernel.  gss_export_context() exports the context as an opaque object which
> cannot be used for this purpose.  We are proposing three new APIs.  One is
> to restrict the encryption types negotiated in user-land to the set that the
> kernel can use.  The other two are to export context information into a
> usable structure, and then free that structure.
> 
> Comments, suggestions, welcome.
> 
> 
> 
> ______________________________________________________________________
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

This is a digitally signed message part

References:
- [Kevin Coffman] Proposal to export gssapi context
  - From: Sam Hartman <hartmans@mit.edu>

Prev by Date: RE: Intergrate Heimdal's hdb-ldap and Samba
Next by Date: RE: Intergrate Heimdal's hdb-ldap and Samba
Prev by thread: [Kevin Coffman] Proposal to export gssapi context
Next by thread: Re: [Kevin Coffman] Proposal to export gssapi context
Index(es):
- Date
- Thread