svn commit: samba r9444 - in trunk/source/rpc_server: .

Stefan (metze) Metzmacher metze at
Mon Aug 22 15:16:05 GMT 2005

Hash: SHA1

Jeremy Allison schrieb:
> On Sun, Aug 21, 2005 at 03:57:20PM +0200, Stefan (metze) Metzmacher wrote:
>>>Now to add the krb5 auth type 9...
>>Note that you may can't get this working with the samba3 krb5 code,
>>as it didn't use the GSSAPI 8003 checksum in the Authenticator of the AP-REQ.
>>this checksum contains the flags needed to specifiy if sign or seal
>>should be used (GSS_C_* flags).
>>And for DCERPC krb5 uses 3 messages:
>>C->S: AP-REQ
>>S->C: AP-REP
>>C->S: AP-REP
>>and it uses the GSS_C_DCE_STYLE flag to negotiate this behavoir.
>>search for GSS_C_DCE_STYLE
>>and also the padding rules for sealing is changing when DCE_STYLE is used.
>>see samba4/source/heimdal/lib/gssapi/arcfour.c
>>The DCE_STYLE stuff is not part of any published krb5 distro.
> Thanks for that info. Correct me if I'm wrong but I should
> be able to build this up using the raw MIT krb5 interface if
> I handle the gss wrapping of the AP-REQ and AP-REP blobs
> myself I think ?

I'm not sure what MIT offers, but you can't just use krb5_mk_req() and add the gss wrapping
as the 8003 checksum is in the AP-REQ, heimdal has a krb5_build_ap_req() function

and also note in DCERPC the AP-REQ and AP-REP have no gss wrapping,
just the sealed blobs.

- --

Stefan Metzmacher <metze at>
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list