[linux-cifs-client] Re: SPNEGO OIDs and MIC
Jeff Layton
jlayton at redhat.com
Thu Aug 21 21:15:44 GMT 2008
On Fri, 22 Aug 2008 00:25:08 +0400
"Q (Igor Mammedov)" <niallain at gmail.com> wrote:
> On Thu, Aug 21, 2008 at 11:28 PM, Steve French <smfrench at gmail.com> wrote:
> > I think there is some value in passing the mechListMIC to userspace,
> > but it should not hold up us supporting krb5 in 2.6.27 (if there are
> > other bugs in 2.6.27 krb5 support we could leave experimental on
> > though).
>
> There is one thing nobody tried to test yet. Namely "expired session key".
> Most probably it will lead to some error from a server side when it happens.
> But there should be some sort of renegotiation in protocol or something like
> that without tearing a session, but I haven't looked for it yet.
>
> Jeff,
> If we need to update session key by requesting KDC for a new one,
> we may be needed to keep MIC till the session end.
>
Keeping it until the session ends sounds reasonable. I wonder though if
we shouldn't call this something other than "mic=". I now understand
that the MIC should really be holding a signature of sorts, and it
looks like microsoft ended up hijacking that field to hold the
principal name (due to the bugs described in that list post).
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list