svn commit: samba r9196 - in branches/SAMBA_4_0/source/auth/kerberos: .

metze at samba.org metze at samba.org
Sun Aug 7 20:34:38 GMT 2005


Author: metze
Date: 2005-08-07 20:34:38 +0000 (Sun, 07 Aug 2005)
New Revision: 9196

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9196

Log:
- add a note about the Canonicalize KDCOPtion flag

- add a note about old client using the wrong checksum type for GSSAPI
  in the Authenticator

metze
Modified:
   branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt	2005-08-07 20:28:53 UTC (rev 9195)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt	2005-08-07 20:34:38 UTC (rev 9196)
@@ -45,7 +45,22 @@
 Heimdal has the same problem, and this applies to the krb5 layer, not
 just gssapi.
 
+We need to test if the canonicalisation is controlled by the KDCOption
+flags, windows always sends the Canonicalize flags
 
+Old Clients (samba3 and HPUX clients) uses 'selfmade' gssapi/krb5
+for using it in the CIFS session setup. Because they use krb5_mk_req()
+they get a chksum field depending on the encryption type, but that's wrong
+for GSSAPI (see rfc 1964 section 1.1.1). The Cheksum type 8003
+should be used in the Authenticator of the AP-REQ! That allows the channel bindings,
+the GCC_C_* req_flags and optional delegation tickets to be passed from the client to the server.
+Hower windows doesn't seems to care about if the checksum is of the wrong type,
+for CIFS SessionSetups, it seems that the req_flags are just set to 0.
+So this can't work for LDAP connections with sign or seal, or for any DCERPC
+connection.
+
+So we need to also support old clients!
+
 Principal Names, long and short names
 -------------------------------------
 



More information about the samba-cvs mailing list