[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff

On Sun, 2006-04-30 at 23:16 -0400, Michael B Allen wrote:
> On Mon, 1 May 2006 11:59:48 +1000
> Luke Howard <lukeh@PADL.COM> wrote:
> > >Mmm, do we REALLY want it 0 or should be just mask off certain bits? I
> > >recall reading about this but I confess I don't fully understand the
> > >implications regarding how the flags are communicated in the authenticator
> > >checksum. With that break mutual?
> > 
> > That's a good point, it probably will. Do MS clients do mutual when you
> > send a non-GSSAPI checksum?
> > 
> > We should probably set some default flags, at least:
> > 
> > #define GSS_C_MUTUAL_FLAG 2
> > #define GSS_C_REPLAY_FLAG 4
> > #define GSS_C_SEQUENCE_FLAG 8
> > #define GSS_C_CONF_FLAG 16
> > #define GSS_C_INTEG_FLAG 32
> > 
> > Thoughts?
> I don't know. But bare in mind that Andrew is thinking the MD5 checksum
> issue is specific to a limitation in Samba 3's smbclient. If that's true,
> then the problem would be limited to SMB servers using stock Heimdal
> gss_accept_sec_context which is to say it's not terribly important
> right now.

At the plugfest, we noticed that at least one other vendor had a similar
issue.  Unless you want to ship a custom GSSAPI lib (like Samba4's
lorikeet-heimdal), you end up doing it like this to get at the key for
signing (and on the server side, you can't get at the PAC etc).

I would fix Samba3's code, but I'm not sure I'm ready for the political
flack of shipping a custom kerberos lib with Samba, and the APIs we need
are not in standard system libs on many (any?) platforms.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part