svn commit: samba r9444 - in trunk/source/rpc_server: .
Stefan (metze) Metzmacher
metze at samba.org
Sun Aug 21 13:57:20 GMT 2005
> Author: jra
> Date: 2005-08-21 06:09:27 +0000 (Sun, 21 Aug 2005)
> New Revision: 9444
>
> WebSVN:
> http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9444
>
> Log:
> With these changes to the alter context reply (which doesn't
> add any auth stub data on the third leg of an SPNEGO NTLMSSP
> auth reply we can now use bind auth type (9) signed and sealed
> to browse a Samba registry from a W2K3 full service pack and
> patched machine.
Nice work!
> Now to add the krb5 auth type 9...
Note that you may can't get this working with the samba3 krb5 code,
as it didn't use the GSSAPI 8003 checksum in the Authenticator of the AP-REQ.
this checksum contains the flags needed to specifiy if sign or seal
should be used (GSS_C_* flags).
And for DCERPC krb5 uses 3 messages:
C->S: AP-REQ
S->C: AP-REP
C->S: AP-REP
and it uses the GSS_C_DCE_STYLE flag to negotiate this behavoir.
search for GSS_C_DCE_STYLE
samba4/source/heimdal/lib/gssapi/init_sec_context.c
samba4/source/heimdal/lib/gssapi/accept_sec_context.c
and also the padding rules for sealing is changing when DCE_STYLE is used.
see samba4/source/heimdal/lib/gssapi/arcfour.c
The DCE_STYLE stuff is not part of any published krb5 distro.
--
metze
Stefan Metzmacher <metze at samba dot org>
More information about the samba-technical
mailing list