Work required before we enable krb5 in default config

Andrew Bartlett abartlet at samba.org
Sat Sep 10 11:15:33 GMT 2005 

On Thu, 2005-09-08 at 20:15 +1000, Andrew Bartlett wrote:
> Particularly with the recent PAC work done, we are now much, much closer
> to enabling the gensec_gssapi module by default, and therefore to
> transparently handling kerberos.
> 
> The things that I see as TODO are in two categories:  AES and DNS
> 
> By using the AES encryption types, we change the properties of GSSAPI
> and kerberos, in ways that break more fragile bits of Samba.  These are:
> 
> PAC signatures (assumes a 16 byte key):
> The PAC parsing and verification code we have at the moment relies on
> fixed offsets into the end of the PAC buffer.  This is clearly bogus...
> I want to change the PAC parsing to be handled in two levels, one for
> the outer wrapping, and another for the internal buffers.  This would
> allow us to parse and zero the signatures, correctly.  (We might not use
> the same pointer algorithm as for example a win2k server, so we can't
> fully parse and still check the sig).  

We now support parsing variable length signatures, but need to locate
them correctly to zero them.  

> GSSAPI wrapping (assumed a fixed GSSAPI wrap format):
> The GSSAPI gss_wrap() call isn't suitable for DCE/RPC, so I intend to
> add a new API to put back separate sign/seal interfaces with separate
> signature generation.  This should work with the new AES wrap format.  I
> need to figure out how Microsoft handles this...

We now support AES, but I don't yet have an MS testcase.

> On the DNS side of things:
> We need to ensure that Heimdal doesn't cause us to do blocking DNS
> lookups for domains that may not be kerberised, and in particular for
> the client-side canonicalisation of hostnames (that may not exist in
> DNS).  I don't want to enable this, and have users swearing at DNS
> timeouts.

This looks easy, and I've proposed a config option to the krbdev and
heimdal lists.

> I think we are in a good position to fix these before a technology
> preview.  I also want to fix the PAC handling inside the KDC, but this
> is far less critical.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050910/0335fb86/attachment.bin

More information about the samba-technical mailing list