Kerberos Ticket Forwarding Patch/Update (3.2)

Derrick Schommer dschommer at
Mon Jul 28 19:44:55 GMT 2008

I'm not sure anything needs to be byte swapped if I'm reading this spec right:

The 0x8003 GSS checksum MUST have the following
Octet     Name       Description
      0..3      Lgth       Number of octets in Bnd field;  Represented
                            in little-endian order;  Currently contains
                            hex value 10 00 00 00 (16).
      4..19     Bnd        Channel binding information, as described in
                            section [RFC4121].
      20..23    Flags      Four-octet context-establishment flags in
                            little-endian order as described in section
      24..25    DlgOpt     The delegation option identifier (=1) in
                            little-endian order [optional].  This field
                            and the next two fields are present if and
                            only if GSS_C_DELEG_FLAG is set as described
                            in section [RFC4121].
      26..27    Dlgth      The length of the Deleg field in
                            little-endian order [optional].
      28..(n-1) Deleg      KRB_CRED message (n = Dlgth + 28) [optional].
      n..last   Exts       Extensions


-----Original Message-----
From: Love Hörnquist Åstrand [mailto:lha at] 
Sent: Saturday, July 26, 2008 14:41
To: Derrick Schommer
Cc: samba-technical at
Subject: Re: Kerberos Ticket Forwarding Patch/Update (3.2)

The flags field in the 8003 checksum should match the gss-api flags  
given to gss_init_sec_context(), your patch sets it to  
GSSAPI_NO_C_BINDINGS (0), which is wrong, it should at least be  
GSS_C_DELEG_FLAG, see page 4 of rfc1934.

+  uint8_t    deleg[];                    /* Deleg field buffer ( one  
or more bytes of GSS-API data) */

This is not valid c89.

The patch do no byte swaping, so it will only work on LE machines.


25 jul 2008 kl. 20.14 skrev Derrick Schommer:

> Here is the update with C-style comment fixes for 3.2 for the Kerberos
> update and the gss_init() updated to have the C_DELEGAT flag enabled.

More information about the samba-technical mailing list