Work required before we enable krb5 in default config

Andrew Bartlett abartlet at samba.org
Thu Sep 8 10:15:41 GMT 2005 

Particularly with the recent PAC work done, we are now much, much closer
to enabling the gensec_gssapi module by default, and therefore to
transparently handling kerberos.

The things that I see as TODO are in two categories:  AES and DNS

By using the AES encryption types, we change the properties of GSSAPI
and kerberos, in ways that break more fragile bits of Samba.  These are:

PAC signatures (assumes a 16 byte key):
The PAC parsing and verification code we have at the moment relies on
fixed offsets into the end of the PAC buffer.  This is clearly bogus...
I want to change the PAC parsing to be handled in two levels, one for
the outer wrapping, and another for the internal buffers.  This would
allow us to parse and zero the signatures, correctly.  (We might not use
the same pointer algorithm as for example a win2k server, so we can't
fully parse and still check the sig).  

GSSAPI wrapping (assumed a fixed GSSAPI wrap format):
The GSSAPI gss_wrap() call isn't suitable for DCE/RPC, so I intend to
add a new API to put back separate sign/seal interfaces with separate
signature generation.  This should work with the new AES wrap format.  I
need to figure out how Microsoft handles this...

On the DNS side of things:
We need to ensure that Heimdal doesn't cause us to do blocking DNS
lookups for domains that may not be kerberised, and in particular for
the client-side canonicalisation of hostnames (that may not exist in
DNS).  I don't want to enable this, and have users swearing at DNS
timeouts.

I think we are in a good position to fix these before a technology
preview.  I also want to fix the PAC handling inside the KDC, but this
is far less critical.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050908/86745e04/attachment.bin

More information about the samba-technical mailing list