[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-2797-g5f41913

Jeremy Allison jra at samba.org
Wed Sep 10 00:14:28 GMT 2008 

On Wed, Sep 10, 2008 at 12:55:15AM +0100, Love Hörnquist Åstrand wrote:
>>> MIT refuses this packet, heimdal have fix for samba brokenness. msft
>>> just  accepts both types.
>>
>> Ah. So we really should be calling ads_krb5_get_fwd_ticket in
>> every case (just calling krb5_fwd_tgt_creds() with the
>> "forwardable" flag as zero in the non-forwardable
>> case.
>
> No, you don't want a ticket in the 8003 checksum if you don't forward,  
> and you don't want the penalty of a rtt to the kdc if you don't need it.
>
> You should always use the 8003 checksum.

Ok, that makes sense. I'm beginning to see what we
should do for this. In the non-forwardable case,
before calling krb5_mk_req_extended() we would do
the same set up as for forwardable :

krb5_auth_con_init(context, auth_context);
krb5_auth_con_setuseruserkey(context, *auth_context, &credsp->keyblock);
krb5_auth_con_setflags(context, *auth_context,
KRB5_AUTH_CONTEXT_USE_SUBKEY);

then instead of calling krb5_fwd_tgt_creds()
just malloc an array of chars size GSSAPI_CHECKSUM_SIZE,
into pChksum, set up as we're currenly doing in
ads_krb5_get_fwd_ticket():

        p = pChksum;
        SIVAL(p, 0, GSSAPI_BNDLENGTH);
        p += 4;
        /* Zero out the bindings fields */
        memset(p, '\0', GSSAPI_BNDLENGTH );
        p += GSSAPI_BNDLENGTH;
        SIVAL(p, 0, 0 );
        p += 4;

	/* As I noticed below, these are the
	   DlgOpt and Dlgth I think. So
	   we don't need these  - so we'd
	   allocate GSSAPI_BNDLENGTH + 8,
	   not GSSAPI_BNDLENGTH + 12 as we
	   currently do. */

        SSVAL(p, 0, 1 );
        p += 2;
        SSVAL(p, 0, 0 );
        p += 2;

krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM
);
authenticator->length = GSSAPI_CHECKSUM_SIZE;
authenticator->data = (char *)pChksum;

and we should be creating 8003 checksum packets.

>> However, I'm assuming that if we continue when
>> krb5_fwd_tgt_creds() fails the returned fwdData will
>> not have been created, and so I really should add
>> a "if (fwdData.length)" around the "memcpy(p, fwdData.data,  
>> fwdData.length"
>> call and any other use of fwdData.data.
>>
>> Correct ?
>
> You need to strip of the DlgOpt and Dlgth too.

Ah, these are the values here :

        SSVAL(p, 0, 1 );
        p += 2;
        SSVAL(p, 0, 0 );
        p += 2;

- got it I think.

This is too great a change for the next release (19th)
so I think I'm going to go with my patch if it works,
but I think I can make this work for the 3.3 release.

No more non-8003 checksums :-).

Jeremy.

More information about the samba-technical mailing list