From jallison@WHISTLE.COM Sun Jan 18 20:29:56 1998 Date: Thu, 15 Jan 1998 17:51:49 -0800 To: CIFS@DISCUSS.MICROSOFT.COM Subject: Re: new CIFS I-D Paul wrote: > 2. A specification of how to encapsulate arbitrary authentication protocols, > so it can use Kerberos. Well Paul, I took a good look at this new spec and I'm sorry but it doesn't give :"A specification of how to encapsulate arbitrary authentication protocols, so it can use Kerberos.", I'm afraid. It's not at all complete. All it does is specify how to exchange an arbitary number of unspecified blobs of security data between client and server. Saying, "we use snego" (which is still in draft form according to the IETF Web pages) doesn't specify enough for an implementor. Now using snego only guarentees that the OID list of authentication mechanisms that the client understands is given to the server. If you create a proprietary encoding of your Kerberos 5 tickets and get a unique OID to describe this *but then don't tell anyone what the format of this encoding is* then 3rd parties who don't have this information will be unable to use CIFS Kerberos authentication. I guess it would be ok to say that you're going to use the mechanism independent token format encoding for OID 1.2.840.113554.1.2.2 - the Kerberos 5 OID - based on RFC2078, but I haven't heard anything to confirm that from MS. Also (as Andrew pointed out) you haven't addressed the Kerberos ticket expiration problem. Once the ticket expires, the client is somewhat up the creek until it re-authenticates. The only way you've specified of doing this is by a session_setup_and_X command - but this would re-issue a UID - what does the client do with already open resources ? I would appreciate a bit of clarification on this if possible. Cheers, Jeremy Allison. Samba Team. (Whistle Communications). ---------------------------------------------------------------- Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp contains important info including how to unsubscribe. Save time, search the archives at http://discuss.microsoft.com/archives/index.html