Re: [patch] miscellaneous mechglue stuff

[Michael B Allen <mba2000@ioplex.com>]

On Sun, 07 May 2006 17:06:45 +1000
Andrew Bartlett <abartlet@samba.org> wrote:

> On Sun, 2006-04-30 at 23:16 -0400, Michael B Allen wrote:
> > On Mon, 1 May 2006 11:59:48 +1000
> > Luke Howard <lukeh@PADL.COM> wrote:
> > 
> > > >Mmm, do we REALLY want it 0 or should be just mask off certain bits? I
> > > >recall reading about this but I confess I don't fully understand the
> > > >implications regarding how the flags are communicated in the authenticator
> > > >checksum. With that break mutual?
> > > 
> > > That's a good point, it probably will. Do MS clients do mutual when you
> > > send a non-GSSAPI checksum?
> > > 
> > > We should probably set some default flags, at least:
> > > 
> > > #define GSS_C_MUTUAL_FLAG 2
> > > #define GSS_C_REPLAY_FLAG 4
> > > #define GSS_C_SEQUENCE_FLAG 8
> > > #define GSS_C_CONF_FLAG 16
> > > #define GSS_C_INTEG_FLAG 32
> > > 
> > > Thoughts?
> > 
> > I don't know. But bare in mind that Andrew is thinking the MD5 checksum
> > issue is specific to a limitation in Samba 3's smbclient. If that's true,
> > then the problem would be limited to SMB servers using stock Heimdal
> > gss_accept_sec_context which is to say it's not terribly important
> > right now.
> 
> At the plugfest, we noticed that at least one other vendor had a similar
> issue.  Unless you want to ship a custom GSSAPI lib (like Samba4's
> lorikeet-heimdal), you end up doing it like this to get at the key for
> signing (and on the server side, you can't get at the PAC etc).

The best thing would be to advocate gss_krb5_inquire_sec_context_by_oid w/
OIDs for the subkey and PAC [1] w/ support in MIT and stock Heimdal.

Mike

[1] Current mechglue-branch flags are GSS_KRB5_GET_SUBKEY_X, and
    GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X