Work required before we enable krb5 in default config

Andrew Bartlett abartlet at
Sat Sep 10 11:15:33 GMT 2005

On Thu, 2005-09-08 at 20:15 +1000, Andrew Bartlett wrote:
> Particularly with the recent PAC work done, we are now much, much closer
> to enabling the gensec_gssapi module by default, and therefore to
> transparently handling kerberos.
> The things that I see as TODO are in two categories:  AES and DNS
> By using the AES encryption types, we change the properties of GSSAPI
> and kerberos, in ways that break more fragile bits of Samba.  These are:
> PAC signatures (assumes a 16 byte key):
> The PAC parsing and verification code we have at the moment relies on
> fixed offsets into the end of the PAC buffer.  This is clearly bogus...
> I want to change the PAC parsing to be handled in two levels, one for
> the outer wrapping, and another for the internal buffers.  This would
> allow us to parse and zero the signatures, correctly.  (We might not use
> the same pointer algorithm as for example a win2k server, so we can't
> fully parse and still check the sig).  

We now support parsing variable length signatures, but need to locate
them correctly to zero them.  

> GSSAPI wrapping (assumed a fixed GSSAPI wrap format):
> The GSSAPI gss_wrap() call isn't suitable for DCE/RPC, so I intend to
> add a new API to put back separate sign/seal interfaces with separate
> signature generation.  This should work with the new AES wrap format.  I
> need to figure out how Microsoft handles this...

We now support AES, but I don't yet have an MS testcase.

> On the DNS side of things:
> We need to ensure that Heimdal doesn't cause us to do blocking DNS
> lookups for domains that may not be kerberised, and in particular for
> the client-side canonicalisation of hostnames (that may not exist in
> DNS).  I don't want to enable this, and have users swearing at DNS
> timeouts.

This looks easy, and I've proposed a config option to the krbdev and
heimdal lists.

> I think we are in a good position to fix these before a technology
> preview.  I also want to fix the PAC handling inside the KDC, but this
> is far less critical.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list