[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [patch] miscellaneous mechglue stuff
On Sun, 07 May 2006 17:06:45 +1000
Andrew Bartlett <abartlet@samba.org> wrote:
> On Sun, 2006-04-30 at 23:16 -0400, Michael B Allen wrote:
> > On Mon, 1 May 2006 11:59:48 +1000
> > Luke Howard <lukeh@PADL.COM> wrote:
> >
> > > >Mmm, do we REALLY want it 0 or should be just mask off certain bits? I
> > > >recall reading about this but I confess I don't fully understand the
> > > >implications regarding how the flags are communicated in the authenticator
> > > >checksum. With that break mutual?
> > >
> > > That's a good point, it probably will. Do MS clients do mutual when you
> > > send a non-GSSAPI checksum?
> > >
> > > We should probably set some default flags, at least:
> > >
> > > #define GSS_C_MUTUAL_FLAG 2
> > > #define GSS_C_REPLAY_FLAG 4
> > > #define GSS_C_SEQUENCE_FLAG 8
> > > #define GSS_C_CONF_FLAG 16
> > > #define GSS_C_INTEG_FLAG 32
> > >
> > > Thoughts?
> >
> > I don't know. But bare in mind that Andrew is thinking the MD5 checksum
> > issue is specific to a limitation in Samba 3's smbclient. If that's true,
> > then the problem would be limited to SMB servers using stock Heimdal
> > gss_accept_sec_context which is to say it's not terribly important
> > right now.
>
> At the plugfest, we noticed that at least one other vendor had a similar
> issue. Unless you want to ship a custom GSSAPI lib (like Samba4's
> lorikeet-heimdal), you end up doing it like this to get at the key for
> signing (and on the server side, you can't get at the PAC etc).
The best thing would be to advocate gss_krb5_inquire_sec_context_by_oid w/
OIDs for the subkey and PAC [1] w/ support in MIT and stock Heimdal.
Mike
[1] Current mechglue-branch flags are GSS_KRB5_GET_SUBKEY_X, and
GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X