svn commit: samba r9444 - in trunk/source/rpc_server: .
Stefan (metze) Metzmacher
metze at samba.org
Mon Aug 22 15:16:05 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeremy Allison schrieb:
> On Sun, Aug 21, 2005 at 03:57:20PM +0200, Stefan (metze) Metzmacher wrote:
>
>>>Now to add the krb5 auth type 9...
>>
>>Note that you may can't get this working with the samba3 krb5 code,
>>as it didn't use the GSSAPI 8003 checksum in the Authenticator of the AP-REQ.
>>
>>this checksum contains the flags needed to specifiy if sign or seal
>>should be used (GSS_C_* flags).
>>And for DCERPC krb5 uses 3 messages:
>>
>>C->S: AP-REQ
>>S->C: AP-REP
>>C->S: AP-REP
>>
>>and it uses the GSS_C_DCE_STYLE flag to negotiate this behavoir.
>>
>>search for GSS_C_DCE_STYLE
>>samba4/source/heimdal/lib/gssapi/init_sec_context.c
>>samba4/source/heimdal/lib/gssapi/accept_sec_context.c
>>
>>and also the padding rules for sealing is changing when DCE_STYLE is used.
>>see samba4/source/heimdal/lib/gssapi/arcfour.c
>>
>>The DCE_STYLE stuff is not part of any published krb5 distro.
>
>
> Thanks for that info. Correct me if I'm wrong but I should
> be able to build this up using the raw MIT krb5 interface if
> I handle the gss wrapping of the AP-REQ and AP-REP blobs
> myself I think ?
I'm not sure what MIT offers, but you can't just use krb5_mk_req() and add the gss wrapping
as the 8003 checksum is in the AP-REQ, heimdal has a krb5_build_ap_req() function
and also note in DCERPC the AP-REQ and AP-REP have no gss wrapping,
just the sealed blobs.
- --
metze
Stefan Metzmacher <metze at samba.org> www.samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDCewzm70gjA5TCD8RAiR1AJ9C9BMKJQB1KryU9VU+J0CM+IBEeQCgz7qT
YA/6XflTniezlC+Xnpku+sY=
=ZQL1
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list