[Cvsnt] gserver impersonation

Brian Smith brian-l-smith at uiowa.edu
Mon Feb 25 20:47:44 GMT 2002 

Tony Hoyle wrote:
> On Mon, 25 Feb 2002 12:47:28 +0000 (UTC), Brian Smith
> <brian-l-smith at uiowa.edu> wrote:
>
>>I made my changes directly to the gssapi_mit code because the
>>gssapi_win32 code was too different for me to get working with quickly
>>and it didn't work with my linux client. I'm not sure of a couple things
>>though:
>
> The gssapi_win32 code is basically what you have to do to support
> kerberos natively under win32... I just never got it fully working -
> it's the example code with a few changes.

Yes, I noticed that it is very similar to the MSDN example code.
However, I found it was much simpler to just translate the GSSAPI calls
into the equivalent Win32 calls instead of completely rewriting it. SSPI
and GSSAPI are actually quite similar for the way that CVS uses them so
this was easy to do. I am actually going to factor the code a little bit
so that the GSSAPI and SSPI versions can share code (the sending of
tokens is the same, for example, as is the general control flow).

>>(1) when is the disconnect function supposed to be called (e.g.
>>gserver_disconnect)? It doesn't seem like it is ever getting called.
>>
> I don't think it is at the moment... It was called on error conditions
> but it got taken out at some point.  In theory it should be called
> after everything is shut down.... that'll go in sometime in the .4
> release.

On the client or the server? Could you add a little more documentation
to about the protocol_interface structure describing when each of the
functions is supposed to be called, and whether they are called on the
client and/or the server?

>>(2) The current gserver code doesn't define an impersonation function.
>>That makes me a little uncertain about how impersonation works for
>>gserver. Can one use NTFS impersonation with the gssapi_mit code? In my
>>Windows 2000-ized version I should easily be able to do impersonation so
>>that filesystem permissions will work.
>>
> If there's no impersonation it defaults to the same method that
> pserver uses.  MIT Kerberos doesn't provide an 'impersonate' method so
> I have to do that.

Okay, that makes sense.

> Mapping the DLLs is just a matter of deciding search order (calling it
> 'protocol_adgserver.dll' would be enough, as the filenames come in in
> alphabetical order).  The AD version would have to be a separate file
> (replacing the gssapi_win32 stuff probably) - The MIT stuff has to
> stay the same for the unix versions.

I don't think that will work because I want to be able to support MIT
Kerberos on Windows 2000 too. Instead, I am thinking of having a single
"gserver_protocol" DLL that uses a flag to decide between MIT and
Microsoft implementations (each of which would reside in a different DLL).

- Brian

_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list