Writing gss mechanism - Kerberos user2user
Idan Freiberg
speidy at gmail.com
Sun Feb 5 01:21:19 EST 2017
Hello all,
I'm working on an implementation for Kerberos user2user mechanism, in order
to be able to interop with MS requests as such.
Talking with Simo, kaduk @ irc, I was advised to add it as a seperate .so
module.
While it is possible, i'm not sure its the right way. One reason for that
is because MS doesn't specify user2user mech as a seperate mech in
MechTypes (NegoTokenInit).
They actually ask for official krb5 or mskrb5 oids, then they include the
user2user token as the MechToken of the request.
That made me think u2u should be hooked in gssapi_krb5.
On the other hand, looking at gss-ntlmssp by Simo, I find that a support
was added into gssapi itself in order to detect that mech when
NegoTokenInit comes in (altough thats a different way of detection), so i
might be wrong about my the above.
Can you share your thoughts about that one?
--
Idan Freiberg
PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18
More information about the krbdev
mailing list