Work required before we enable krb5 in default config

Andrew Bartlett abartlet at samba.org
Thu Sep 8 10:08:12 GMT 2005


Particularly with the recent PAC work done, we are now much, much closer
to enabling the gensec_gssapi module by default, and therefore to
transparently handling kerberos.

The things that I see as TODO are in two categories:  AES and DNS

By using the AES encryption types, we change the properties of GSSAPI
and kerberos, in ways that break more fragile bits of Samba.  These are:

PAC signatures (assumes a 16 byte key):
The PAC parsing and verification code we have at the moment relies on
fixed offsets into the end of the PAC bugg

 - GSSAPI wrapping (assumed a fixed GSSAPI wrap format)

Both of these can be fixed (a 'mere matter of programming').

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050908/6f4f1305/attachment.bin


More information about the samba-technical mailing list