svn commit: samba r9444 - in trunk/source/rpc_server: .
Jeremy Allison
jra at samba.org
Sun Aug 21 17:00:51 GMT 2005
On Sun, Aug 21, 2005 at 03:57:20PM +0200, Stefan (metze) Metzmacher wrote:
>
> > Now to add the krb5 auth type 9...
> Note that you may can't get this working with the samba3 krb5 code,
> as it didn't use the GSSAPI 8003 checksum in the Authenticator of the AP-REQ.
>
> this checksum contains the flags needed to specifiy if sign or seal
> should be used (GSS_C_* flags).
> And for DCERPC krb5 uses 3 messages:
>
> C->S: AP-REQ
> S->C: AP-REP
> C->S: AP-REP
>
> and it uses the GSS_C_DCE_STYLE flag to negotiate this behavoir.
>
> search for GSS_C_DCE_STYLE
> samba4/source/heimdal/lib/gssapi/init_sec_context.c
> samba4/source/heimdal/lib/gssapi/accept_sec_context.c
>
> and also the padding rules for sealing is changing when DCE_STYLE is used.
> see samba4/source/heimdal/lib/gssapi/arcfour.c
>
> The DCE_STYLE stuff is not part of any published krb5 distro.
Thanks for that info. Correct me if I'm wrong but I should
be able to build this up using the raw MIT krb5 interface if
I handle the gss wrapping of the AP-REQ and AP-REP blobs
myself I think ?
Jeremy
More information about the samba-technical
mailing list