[Cvsnt] gserver impersonation

Tony Hoyle tmh at nothing-on.tv
Mon Feb 25 14:26:41 GMT 2002 

On Mon, 25 Feb 2002 12:47:28 +0000 (UTC), Brian Smith
<brian-l-smith at uiowa.edu> wrote:

>  My changes are also currently working on my linux box without any
>problems.I have modified the gserver code so that it can authenticate
>using Windows 2000 active directory. By the end of the week I suppose my
>modified version will not have any dependencies on MIT Kerberos at all.
>My changes make CVSNT kerberos support transparent and automatic (no
>manual kerberos setup) for the case when CVSNT is running under the
>LocalSystem account.
>
>I made my changes directly to the gssapi_mit code because the
>gssapi_win32 code was too different for me to get working with quickly
>and it didn't work with my linux client. I'm not sure of a couple things
>though:

The gssapi_win32 code is basically what you have to do to support
kerberos natively under win32... I just never got it fully working -
it's the example code with a few changes.

>(1) when is the disconnect function supposed to be called (e.g.
>gserver_disconnect)? It doesn't seem like it is ever getting called.

I don't think it is at the moment... It was called on error conditions
but it got taken out at some point.  In theory it should be called
after everything is shut down.... that'll go in sometime in the .4
release.

>(2) The current gserver code doesn't define an impersonation function.
>That makes me a little uncertain about how impersonation works for
>gserver. Can one use NTFS impersonation with the gssapi_mit code? In my
>Windows 2000-ized version I should easily be able to do impersonation so
>that filesystem permissions will work.

If there's no impersonation it defaults to the same method that
pserver uses.  MIT Kerberos doesn't provide an 'impersonate' method so
I have to do that.

>(3) I am interested in integrating my changes into the main CVSNT
>distribution. Would you be interested in doing this? I know you want the
>gserver code to work on NT 4.0 too so there would have to be some way to
>choose between a "Windows 2000 AD" mode and a "MIT Kerberos" mode at
>setup time. But, I don't know how you would want to map the DLL's to the
>protocol names when there would be two different DLL's for the same
>protocol.

Mapping the DLLs is just a matter of deciding search order (calling it
'protocol_adgserver.dll' would be enough, as the filenames come in in
alphabetical order).  The AD version would have to be a separate file
(replacing the gssapi_win32 stuff probably) - The MIT stuff has to
stay the same for the unix versions.

Tony

_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list