Work required before we enable krb5 in default config
Andrew Bartlett
abartlet at samba.org
Thu Sep 8 10:08:12 GMT 2005
Particularly with the recent PAC work done, we are now much, much closer
to enabling the gensec_gssapi module by default, and therefore to
transparently handling kerberos.
The things that I see as TODO are in two categories: AES and DNS
By using the AES encryption types, we change the properties of GSSAPI
and kerberos, in ways that break more fragile bits of Samba. These are:
PAC signatures (assumes a 16 byte key):
The PAC parsing and verification code we have at the moment relies on
fixed offsets into the end of the PAC bugg
- GSSAPI wrapping (assumed a fixed GSSAPI wrap format)
Both of these can be fixed (a 'mere matter of programming').
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050908/6f4f1305/attachment.bin
More information about the samba-technical
mailing list