Samba3's fake GSSAPI and FreeBSD
abartlet at samba.org
Sat Sep 11 03:01:16 MDT 2010
I've been working with Volker to uncover an issue between Samba4 and
your recent change to clikb5.c:ads_krb5_mk_req() in
While the whole patch scares me (if we need to use real GSSAPI that
badly, we should use GSSAPI, and stop faking it up), the problem is that
we have two many combinations. In this case, the create_gss_checksum()
call is made, but on FreeBSD the krb5_auth_con_set_req_cksumtype() call
is not made as it's library does not support it.
Samba4 will cope with the previous behaviour (a normal krb5 checksum
without a gssapi channel binding), and with a full gssapi channel
binding, but not this particular combination. As this is all well
outside real GSSAPI behaviour, I've put this change in to keep
Perhaps we should perhaps have two simple defines: HAVE_KRB5 and
HAVE_MODERN_KRB5, with a switch between the two rather than testing for
each function, and getting too many combinations. We just can't test
the number of variations at the moment.
In the long term, I very much look forward to replacing this with real
GSSAPI at some point, and removing much of this complexity.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 190 bytes
Desc: This is a digitally signed message part
More information about the samba-technical