On Sun, 2006-04-30 at 23:16 -0400, Michael B Allen wrote: > On Mon, 1 May 2006 11:59:48 +1000 > Luke Howard <lukeh@PADL.COM> wrote: > > > >Mmm, do we REALLY want it 0 or should be just mask off certain bits? I > > >recall reading about this but I confess I don't fully understand the > > >implications regarding how the flags are communicated in the authenticator > > >checksum. With that break mutual? > > > > That's a good point, it probably will. Do MS clients do mutual when you > > send a non-GSSAPI checksum? > > > > We should probably set some default flags, at least: > > > > #define GSS_C_MUTUAL_FLAG 2 > > #define GSS_C_REPLAY_FLAG 4 > > #define GSS_C_SEQUENCE_FLAG 8 > > #define GSS_C_CONF_FLAG 16 > > #define GSS_C_INTEG_FLAG 32 > > > > Thoughts? > > I don't know. But bare in mind that Andrew is thinking the MD5 checksum > issue is specific to a limitation in Samba 3's smbclient. If that's true, > then the problem would be limited to SMB servers using stock Heimdal > gss_accept_sec_context which is to say it's not terribly important > right now. At the plugfest, we noticed that at least one other vendor had a similar issue. Unless you want to ship a custom GSSAPI lib (like Samba4's lorikeet-heimdal), you end up doing it like this to get at the key for signing (and on the server side, you can't get at the PAC etc). I would fix Samba3's code, but I'm not sure I'm ready for the political flack of shipping a custom kerberos lib with Samba, and the APIs we need are not in standard system libs on many (any?) platforms. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part