[linux-cifs-client] Re: SPNEGO OIDs and MIC

Q (Igor Mammedov) niallain at gmail.com
Thu Aug 21 20:25:08 GMT 2008


On Thu, Aug 21, 2008 at 11:28 PM, Steve French <smfrench at gmail.com> wrote:
> I think there is some value in passing the mechListMIC to userspace,
> but it should not hold up us supporting krb5 in 2.6.27 (if there are
> other bugs in 2.6.27 krb5 support we could leave experimental on
> though).

There is one thing nobody tried to test yet. Namely "expired session key".
Most probably it will lead to some error from a server side when it happens.
But there should be some sort of renegotiation in  protocol or something like
that without tearing a session, but I haven't looked for it yet.

Jeff,
If we need to update session key by requesting KDC for a new one,
we may be needed to keep MIC till the session end.

> On Thu, Aug 21, 2008 at 12:48 PM, Jeff Layton <jlayton at redhat.com> wrote:
>> On Thu, 21 Aug 2008 10:55:58 -0500
>> "Steve French" <smfrench at gmail.com> wrote:
>>
>>> https://lists.anl.gov/pipermail/ietf-krb-wg/2002-December/002168.html
>>>
>>> --
>>> Thanks,
>>>
>>> Steve
>>
>> (cc'ing linux-cifs-client and Igor as well...)
>>
>> Thanks for that info, Steve. That makes a bit more sense. The first bug
>> mentioned explains why we need to support 2 different OID's. The second
>> one talks about the mechListMIC and why it has the server's principal
>> rather than a real MIC.
>>
>> Appendix C of the current SPNEGO RFC has some info on working around
>> MS bugs:
>>
>> http://tools.ietf.org/html/rfc4178
>>
>> ...and they make a bit more sense after reading the comments in this
>> other post.
>>
>> It seems to me that parsing this info out and sending it to userspace
>> is still reasonable. We could even have userspace do a sanity check of
>> this info. See if it looks like a principal name rather than a real MIC.
>>
>> Maybe something like:
>>
>> if (strstr(mechlistmic, "$@")) then try to use the mechlistmic field as
>> principal name.
>>
>> That said, given that this is a MS-specific quirk, it may make sense
>> to only use this info for MSKRB5 after all.
>>
>> Thoughts?
>> --
>> Jeff Layton <jlayton at redhat.com>
>>
>
>
>
> --
> Thanks,
>
> Steve
>


More information about the linux-cifs-client mailing list