Work required before we enable krb5 in default config
Andrew Bartlett
abartlet at samba.org
Sat Sep 10 11:15:33 GMT 2005
On Thu, 2005-09-08 at 20:15 +1000, Andrew Bartlett wrote:
> Particularly with the recent PAC work done, we are now much, much closer
> to enabling the gensec_gssapi module by default, and therefore to
> transparently handling kerberos.
>
> The things that I see as TODO are in two categories: AES and DNS
>
> By using the AES encryption types, we change the properties of GSSAPI
> and kerberos, in ways that break more fragile bits of Samba. These are:
>
> PAC signatures (assumes a 16 byte key):
> The PAC parsing and verification code we have at the moment relies on
> fixed offsets into the end of the PAC buffer. This is clearly bogus...
> I want to change the PAC parsing to be handled in two levels, one for
> the outer wrapping, and another for the internal buffers. This would
> allow us to parse and zero the signatures, correctly. (We might not use
> the same pointer algorithm as for example a win2k server, so we can't
> fully parse and still check the sig).
We now support parsing variable length signatures, but need to locate
them correctly to zero them.
> GSSAPI wrapping (assumed a fixed GSSAPI wrap format):
> The GSSAPI gss_wrap() call isn't suitable for DCE/RPC, so I intend to
> add a new API to put back separate sign/seal interfaces with separate
> signature generation. This should work with the new AES wrap format. I
> need to figure out how Microsoft handles this...
We now support AES, but I don't yet have an MS testcase.
> On the DNS side of things:
> We need to ensure that Heimdal doesn't cause us to do blocking DNS
> lookups for domains that may not be kerberised, and in particular for
> the client-side canonicalisation of hostnames (that may not exist in
> DNS). I don't want to enable this, and have users swearing at DNS
> timeouts.
This looks easy, and I've proposed a config option to the krbdev and
heimdal lists.
> I think we are in a good position to fix these before a technology
> preview. I also want to fix the PAC handling inside the KDC, but this
> is far less critical.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050910/0335fb86/attachment.bin
More information about the samba-technical
mailing list