Samba Team member Andrew Bartlett has written a paper on Samba4's GENSEC security subsystem and client credentials interfaces. Andrew will be presenting the information in this paper at sambaXP next week.

From Andrew's introduction:

The series of subsystems presented in this paper are the culmination of four years of thought and development, since the first 'Authentication rewrite' work on the then Samba HEAD development branch back in 2001.

Because Samba takes the challenge to match Microsoft's latest releases exactly, the issues surrounding Active Directory and modern security technologies quickly came to the fore. It is no longer possible to just pretend to be NT4 and hope that the clients did not expect any particularly difficult behaviour. With this incarnation of Samba these challenges are being tackled, not just worked around.

As he did with Active Directory in his Samba4 thesis, Andrew does a nice job of detailing the various GENSEC components. For the complete paper (in PDF), see GENSEC - Designing a security subsystem.