Work required before we enable krb5 in default config

Andrew Bartlett abartlet at samba.org
Fri Sep 9 06:39:30 GMT 2005 

On Fri, 2005-09-09 at 01:00 +1000, Luke Howard wrote:
> >GSSAPI wrapping (assumed a fixed GSSAPI wrap format):
> >The GSSAPI gss_wrap() call isn't suitable for DCE/RPC, so I intend to
> >add a new API to put back separate sign/seal interfaces with separate
> >signature generation.  This should work with the new AES wrap format.  I
> >need to figure out how Microsoft handles this...
> 
> I think the gss_wrap_ex() we added should do this, it's sitting in
> the mechglue branch of Heimdal.

I've just checked that out, and I'll have some fun trying to port that
to lorikeet-heimdal.

> >We need to ensure that Heimdal doesn't cause us to do blocking DNS
> >lookups for domains that may not be kerberised, and in particular for
> >the client-side canonicalisation of hostnames (that may not exist in
> >DNS).  I don't want to enable this, and have users swearing at DNS
> >timeouts.
> 
> You should be able to disable this entirely in the client library,
> it's not necessary with Active Directory because the KDC can do name
> canonicalization.

Yep, and this is what I'm looking to do.  Is there a standard option
name for this already in use elsewhere?  Assuming I was to try and get
this into upstream distributions, I assume I would want this on for AD
realms (and eventually other KDCs if they start to support this), and
off for current MIT/Heimdal etc realms.  It would be nice to be
consistent if possible.

Otherwise, I agree this should be pretty easy to hack off, I think I
know the spot to modify. :-)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050909/a938b25f/attachment.bin

More information about the samba-technical mailing list