[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff



On Mon, 1 May 2006 11:59:48 +1000
Luke Howard <lukeh@PADL.COM> wrote:

> >Mmm, do we REALLY want it 0 or should be just mask off certain bits? I
> >recall reading about this but I confess I don't fully understand the
> >implications regarding how the flags are communicated in the authenticator
> >checksum. With that break mutual?
> 
> That's a good point, it probably will. Do MS clients do mutual when you
> send a non-GSSAPI checksum?
> 
> We should probably set some default flags, at least:
> 
> #define GSS_C_MUTUAL_FLAG 2
> #define GSS_C_REPLAY_FLAG 4
> #define GSS_C_SEQUENCE_FLAG 8
> #define GSS_C_CONF_FLAG 16
> #define GSS_C_INTEG_FLAG 32
> 
> Thoughts?

I don't know. But bare in mind that Andrew is thinking the MD5 checksum
issue is specific to a limitation in Samba 3's smbclient. If that's true,
then the problem would be limited to SMB servers using stock Heimdal
gss_accept_sec_context which is to say it's not terribly important
right now.

Do you happen to know how to export a cifs/name.foo.net@FOO.NET aka
name$@foo.net service principal from a W2K3 DC such that it can be
imported into a keytab for Ethereal to use? Ktpass.exe doesn't export
those principals. Otherwise I don't have the setup to decrypt the
Authenticator and know for certain that MS client's are really using 8003.

Mike