Samba3's fake GSSAPI and FreeBSD

Andrew Bartlett abartlet at samba.org
Sat Sep 11 03:01:16 MDT 2010


Jeremy,

I've been working with Volker to uncover an issue between Samba4 and
your recent change to clikb5.c:ads_krb5_mk_req() in
http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=5912206606babc178aa1e3c1a3be853eba808323;hp=c75106fd3ab3715af190dbbdeda9809a019edaac

While the whole patch scares me (if we need to use real GSSAPI that
badly, we should use GSSAPI, and stop faking it up), the problem is that
we have two many combinations.  In this case, the create_gss_checksum()
call is made, but on FreeBSD the krb5_auth_con_set_req_cksumtype() call
is not made as it's library does not support it.

Samba4 will cope with the previous behaviour (a normal krb5 checksum
without a gssapi channel binding), and with a full gssapi channel
binding, but not this particular combination.  As this is all well
outside real GSSAPI behaviour, I've put this change in to keep
everything consistent.

http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=3b4db34011f06fb785153fa9070fb1da9d8f5c78

Perhaps we should perhaps have two simple defines:  HAVE_KRB5 and
HAVE_MODERN_KRB5, with a switch between the two rather than testing for
each function, and getting too many combinations.  We just can't test
the number of variations at the moment.  

In the long term, I very much look forward to replacing this with real
GSSAPI at some point, and removing much of this complexity.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100911/f811a087/attachment.pgp>


More information about the samba-technical mailing list